Securonix has written a blog post describing an observed brute-force attack against Microsoft SQL servers to deploy Cobalt Strike and FreeWorld ransomware. The organization’s researchers found this attack interesting due to the relative sophistication of its tooling, infrastructure, and payloads.

Though brute-force techniques were used to discover the credentials for the servers, once inside, the attackers used a variety of techniques to perform reconnaissance and establish a robust persistent presence. The blog goes into detail for each step of the attack chain, as well as provides suggested mitigations for MSSQL attacks, including limiting the use of ‘xp_cmdshell’ and increasing monitoring of directories commonly used to stage malware. Read more at Securonix.