Microsoft SQL servers that aren’t protected with stronger configurations are open to the new RE#TURGENCE attacks. Credit: Gorodenkoff / Shutterstock Poorly secured Microsoft SQL servers in the US, EU, and LATAM are being attacked by financially motivated Turkish threat actors in an ongoing campaign to deliver MIMIC ransomware payloads, according to a Securonix research. The financial cyberthreat campaign named RE#TURGENCE gains initial access into victim systems by targeting and exploiting insecurely configured MSSQL database servers, an infection technique observed earlier this year with the DB#JAMMER campaign that subsequently delivered Cobalt Strike and FreeWorld ransomware. “The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix said in a blog post. “The timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain.” Securonix was able to uncover the details of the campaign due to a major OPSEC failure by the attackers. “As the attack unfolded, we were able to monitor the attackers and the system they were using closely through their own Remote Monitoring and Management (RMM) software,” Securonix added. Initial access through brute force The RE#TURGENCE threat activities Securomix was tracking initially had the threat actors brute force their way into the victim MSSQL server and exploit the xp_cmdshell procedure, which allows execution of operating system commands from within the SQL server. “Typically, this procedure is disabled by default and should not be enabled, especially on publicly exposed servers,” Securonix said. The attackers then used this ability to execute commands on the host system to execute a Powershell command that downloaded a semi-obfuscated file for a secondary download that contained a heavily obfuscated Cobalt Strike payload. The obfuscation was majorly done through hundreds of lines of combined variables and useless comment blocks, the post added. Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. The tool is capable of generating remote agents known as beacons that can be deployed to achieve remote code execution (RCE) on the target system once initial access has been gained. “(In this case), the Cobalt Strike beacon was configured to inject into the Windows-native process SndVol.exe,” Securonix said. “This process handles volume controls and settings for the system.” Using Cobalt Strike for final payload The attacker eventually shifted to using Cobalt Strike as the main point of code execution and downloaded Anydesk binaries to install Anydesk and add a new local user with administrator controls. This further enabled the attackers to download Mimikatz, a Windows exploit to extract passwords stored in memory, on the host system. This was followed with a few steps to establish persistence in the host system. “The threat actors then shifted gears and decided to get to know the network and domain a bit better,” Securonix added. Finally, the attackers used compromised Anydesk administrator controls to download a self-extracting archive that ran red.exe dropper, the final Mimic ransomware payload. Securonix has advised users to refrain from exposing critical servers directly to the internet and use a VPN instead to allow access to these resources. Additionally, limiting the usage of xp_cmdshell procedure on MSSQL servers, deploying process-level logging such as PowerShell logging, and monitoring the creation of new users on endpoints can be a few useful ways to protect against such intrusion. Related content news FBI warns Black Basta ransomware impacted over 500 organizations worldwide CISA advisory includes indicators of compromise and TTPs that can be used for threat hunting. By Lucian Constantin May 14, 2024 6 mins Ransomware Phishing Healthcare Industry news Australian federal budget outlines investment in cybersecurity The Australian government announced its 2024-25 federal budget and CSO has selected highlights that indicate how much will go towards cybersecurity and in what areas. By Samira Sarraf May 14, 2024 5 mins Fraud Protection and Detection Software Data and Information Security brandpost Sponsored by Microsoft Security New threat trends emerge out of East Asia With total vigilance concerning the latest East Asian developments in the threat landscape, security leaders can enhance their readiness to safeguard against the most imminent dangers. By Microsoft Security May 14, 2024 5 mins Security news Equipped with AI tools, hackers make apps riskier than ever The odds of attacks are growing as attackers can now easily access code modification and reverse engineering tools. By Shweta Sharma May 14, 2024 4 mins Application Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe