Financially Motivated Turkish Hackers Target Microsoft SQL Servers with Mimic Ransomware
Reading Time: 3 Minutes
A financially motivated Turkish hacker group has been targeting Microsoft SQL (MSSQL) servers worldwide, encrypting victims’ files with Mimic (N3ww4v3) ransomware in a campaign known as RE#TURGENCE. The attacks have been directed at targets in the European Union, the United States, and Latin America.
The Securonix Threat Research team, which discovered the campaign, noted that the threat campaign appears to culminate in either the selling of “access” to the compromised host or the deployment of ransomware payloads. The timeline for the events was approximately one month from initial access to the deployment of MIMIC ransomware on the victim’s domain.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Vulnerable MSSQL servers
The threat actors compromised MSSQL database servers through brute force attacks on servers exposed online. They then utilized the system-stored xp_cmdshell procedure to spawn a Windows command shell with the same security rights as the SQL Server service account. This procedure, usually disabled by default due to its potential for privilege elevation, was exploited by the attackers.
Subsequently, the attackers deployed a heavily obfuscated Cobalt Strike payload using a sequence of PowerShell scripts and in-memory reflection techniques, aiming to inject it into the Windows-native process SndVol.exe. They also downloaded and launched the AnyDesk remote desktop application as a service, collecting clear text credentials using Mimikatz.
After scanning the local network and Windows domain, the attackers compromised the domain controller using credentials stolen previously. They then deployed the Mimic ransomware payloads as self-extracting archives via AnyDesk, searching for files to encrypt using the legitimate Everything app.
Mimic ransomware ransom note (Securonix)Trending: Offensive Security Tool: SessionProbe
The ransomware, once executed, dropped the necessary files to complete its objectives and displayed a payment notice on the victim’s C:\ drive. The email used in the ransom note ([email protected]) links this threat group to Phobos ransomware attacks, which first surfaced in 2018 as a ransomware-as-a-service derived from the Crysis ransomware family.
Securonix had previously exposed another campaign targeting MSSQL servers last year (tracked as DB#JAMMER), using the same brute force initial access attack vector and deploying FreeWorld ransomware, another name for Mimic ransomware.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
