Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware


Microsofts database continues to attract cybercriminal attention; the nature of this waves threat group is unknown, with the attacks having been exposed only after a happenstance OpSec lag.



A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL (MSSQL) database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.
The modus operandi of RE#TURGENCE also culminates in another potential outcome: the illicit sale of access to the compromised servers, according to a Securonix
report,
out today, detailing the threat. Researchers there noted that the malicious actors, based in Turkey, thus appear to be financially motivated.
Beyond that, the nature of the attackers is unknown; Securonixs dedicated Threat Research team was able to glean critical insights into the current spate of attacks only after a significant operational security (OPSEC) lapse by the group.
That breach revealed extensive communications, negotiation tactics, compromised passwords, and a treasure trove of invaluable intelligence, researchers said.
Microsofts proprietary relational database is a popular target among cyberattackers given its mission-critical nature, and wide deployment across a number of sectors, including enterprises, critical infrastructure, and government.
Securonix was able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp_cmdshell function inherent in these servers, which enables administrative capabilities.
By exploiting this foothold, threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses, according to Securonix.
The threat actors then deploy a suite of tools to entrench their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.
For its part, the Mimic ransomware exploits the legitimate Everything app by VoidTools to locate and encrypt target files. The Mimic variant used in the attacks, which emerged a year ago, employs red25.exe as its dropper, enabling the execution of essential files for ransomware completion.
In the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts, the Securonix report noted.
MSSQL databases are often misconfigured
, which also contributes to their popularity amongst cybercriminals. And indeed, a July 2023
report
from Palo Altos Unit 42 revealed a staggering 174% increase in malicious attacks targeting vulnerable SQL servers compared to the previous year.
To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.
Beyond that, limiting usage or disabling the xp_cmdshell procedure is recommended because the attackers relied heavily on it for remote code execution, says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix. Where this is a well-known attack technique, it is important to follow the best practices for attack surface reduction related to its use.
The firms report also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.
Aside from limiting exposure, it is important for organizations to monitor their database servers and ensure that enhanced telemetry is available, as part of SIEM/SOAR, for example, to be able to detect and prevent such attacks on a timely basis, Kolesnikov said.
The researchers have
previously warned
of DB#JAMMER attacks targeting vulnerable MSSQL database servers with external connections and weak account credentials that dropped another version of the Mimic ransomware, known as FreeWorld.
Kolesnikov explained the RE#TURGENCE threat campaign
differs from that and other previous MSSQL database server-targeting attacks,
however.
Specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling, he said. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware