Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware

Microsofts database continues to attract cybercriminal attention; the nature of this waves threat group is unknown, with the attacks having been exposed only after a happenstance OpSec lag.

A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL (MSSQL) database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.
The modus operandi of RE#TURGENCE also culminates in another potential outcome: the illicit sale of access to the compromised servers, according to a Securonix
report,
out today, detailing the threat. Researchers there noted that the malicious actors, based in Turkey, thus appear to be financially motivated.
Beyond that, the nature of the attackers is unknown; Securonixs dedicated Threat Research team was able to glean critical insights into the current spate of attacks only after a significant operational security (OPSEC) lapse by the group.
That breach revealed extensive communications, negotiation tactics, compromised passwords, and a treasure trove of invaluable intelligence, researchers said.
Microsofts proprietary relational database is a popular target among cyberattackers given its mission-critical nature, and wide deployment across a number of sectors, including enterprises, critical infrastructure, and government.
Securonix was able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp_cmdshell function inherent in these servers, which enables administrative capabilities.
By exploiting this foothold, threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses, according to Securonix.
The threat actors then deploy a suite of tools to entrench their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.
For its part, the Mimic ransomware exploits the legitimate Everything app by VoidTools to locate and encrypt target files. The Mimic variant used in the attacks, which emerged a year ago, employs red25.exe as its dropper, enabling the execution of essential files for ransomware completion.
In the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts, the Securonix report noted.
MSSQL databases are often misconfigured
, which also contributes to their popularity amongst cybercriminals. And indeed, a July 2023
report
from Palo Altos Unit 42 revealed a staggering 174% increase in malicious attacks targeting vulnerable SQL servers compared to the previous year.
To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.
Beyond that, limiting usage or disabling the xp_cmdshell procedure is recommended because the attackers relied heavily on it for remote code execution, says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix. Where this is a well-known attack technique, it is important to follow the best practices for attack surface reduction related to its use.
The firms report also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.
Aside from limiting exposure, it is important for organizations to monitor their database servers and ensure that enhanced telemetry is available, as part of SIEM/SOAR, for example, to be able to detect and prevent such attacks on a timely basis, Kolesnikov said.
The researchers have
previously warned
of DB#JAMMER attacks targeting vulnerable MSSQL database servers with external connections and weak account credentials that dropped another version of the Mimic ransomware, known as FreeWorld.
Kolesnikov explained the RE#TURGENCE threat campaign
differs from that and other previous MSSQL database server-targeting attacks,
however.
Specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling, he said. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware