May 6, 2024

Researchers have discovered an attack campaign codenamed RE#TURGENCE that aims to infiltrate Microsoft SQL (MSSQL) database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.

The threat actors are based out of turkey, and they are financially motivated. The outcome of the attack campaign leads to the illicit sale of access to the compromised assets. The nature of the attackers is not yet revealed or its unknown.

Advertisements

Researchers were able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp_cmdshell function inherent in these servers, which enables administrative capabilities.

By exploiting the weakness, those threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses.

The threat actors then deploy a suite of tools to maintain their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.

Advertisements

The Mimic ransomware exploits the legitimate “Everything” app by VoidTools to locate and encrypt target files. The Mimic variant used in the attacks, which emerged a year ago, employs “red25.exe” as its dropper, enabling the execution of essential files for ransomware completion.

MSSQL databases are often misconfigured, which also contributes to their popularity amongst threat actors. To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.

Researchers also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.

This research was documented by the researchers of Securonix

Indicators of Compromise

  • 9F3AD476EDA128752A690BD26D7F9A67A8A4855A187619E74422CC08121AD3D3
  • F328C143C24AFB2420964740789F409D2792413A5769A33741ED956FCE5ADD3E
  • 1C7B82B084DA8B57FFEEF7BDCA955C2AA4A209A96EC70E8D13E67283C10C12A5
  • 31FEFF32D23728B39ED813C1E7DC5FE6A87DCD4D10AA995446A8C5EB5DA58615
  • D0C1662CE239E4D288048C0E3324EC52962F6DDDA77DA0CB7AF9C1D9C2F1E2EB
  • E9C63A5B466C286EA252F1B0AA7820396D00BE241FB554CF301C6CD7BA39C5E6
  • D6CD0080D401BE8A91A55B006795701680073DF8CD7A0B5BC54E314370549DC4
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Synlab Italia suffers a cyber incident

May 5, 2024

TheCyberThrone Security Week In Review – May 04, 2024

May 4, 2024

Microsoft initiative in response to CSRB

May 4, 2024

Aruba fixes several Critical Vulnerabilities

May 3, 2024

Dropbox suffers a Data Breach

May 3, 2024

Gitlab CVE-2023-7028 added to CISA KEV Catalog

May 2, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading