An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload.
Turkish threat actors with financial motivations seem to be aiming after the US, EU, and LATAM nations.
“The analyzed threat campaign appears to end in one of two ways, either the selling of “access” to the compromised host or the ultimate delivery of ransomware payloads” ” the Securonix Threat Research team shared with Cyber Security News.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Specifics of Turkish Hackers Targeting MSSQL Servers
Researchers used the xp_cmdshell procedure to brute force access to the victim server and execute commands on the host.
This procedure should not be enabled; it is usually disabled by default (particularly on publicly exposed servers).
The campaign’s initial access phase is comparable to that of DB#JAMMER, which similarly used brute forcing administrative credentials to gain direct MSSQL access.
Following their successful execution of code via the xp_cmdshell method, the attackers ran the command from the sqlservr.exe process on the server. This command helps to execute a PowerShell-encoded command, which is then decoded.
The PowerShell script is semi-obfuscated, and most of the code appears to be ignored. It appears to download and run the next phase.
The script is then extensively obfuscated. It was mostly focused on the DLL imports and the Cobalt Strike payload, which was made up of useless comment blocks and hundreds of lines of combined variables.
With Cobalt Strike serving as the primary point of code execution, the attackers opted for a more interactive strategy. The attackers mounted and accessed a network share, from which they downloaded the AnyDesk binaries.
“The threat actors were able to move laterally into two other machines on the network, likely using data provided by Mimikatz and the Advanced Port Scanner utility,” researchers explain.
PsExec is a legitimate system administration tool that can execute programs on remote Windows hosts and is used for performing lateral movement. When the Mimic ransomware is finally delivered, the attack chain comes to an end.
In January 2023, mimic was first discovered and became popular. Mimic will remove all binaries that were utilized to facilitate the encryption procedure.
The encryption/payment notice that was saved on the victim’s device was executed by the.exe process once the encryption operation was finished. The following message was present in the text file:
“In the end, MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts”, researchers said.
Recommendation
It is always best to avoid leaving important servers open to the internet. Attackers were able to brute force their way into the server directly from outside the main network in the RE#TURGENCE scenario.
Hence, it is recommended that access to these resources should be made possible via a VPN or other even more secure infrastructure.
Try Kelltron’s cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems