Poorly secured Microsoft SQL (MS SQL) servers are being focused within the U.S., European Union, and Latin American (LATAM) areas as a part of an ongoing financially motivated marketing campaign to realize preliminary entry.
“The analyzed menace marketing campaign seems to finish in one among two methods, both the promoting of ‘entry’ to the compromised host, or the final word supply of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a technical report shared with The Hacker Information.
The marketing campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity agency.
Preliminary entry to the servers entails conducting brute-force assaults, adopted by way of xp_cmdshell configuration choice to run shell instructions on the compromised host. This exercise mirrors that of a previous marketing campaign dubbed DB#JAMMER that got here to gentle in September 2023.
This stage paves the way in which for the retrieval of a PowerShell script from a distant server that is chargeable for fetching an obfuscated Cobalt Strike beacon payload.
The post-exploitation toolkit is then used to obtain the AnyDesk distant desktop software from a mounted community share for accessing the machine and downloading extra instruments equivalent to Mimikatz to reap credentials and Superior Port Scanner to hold out reconnaissance.
Lateral motion is achieved by the use of a legit system administration utility known as PsExec, which may execute packages on distant Home windows hosts.
That assault chain, finally, culminates with the deployment of Mimic ransomware, a variant of which was additionally used within the DB#JAMMER marketing campaign.
“The symptoms in addition to malicious TTPs used within the two campaigns are fully completely different, so there’s a very excessive probability these are two disparate campaigns,” Kolesnikov advised The Hacker Information.
“Extra particularly, whereas the preliminary infiltration strategies are comparable, DB#JAMMER was barely extra subtle and used tunneling. RE#TURGENCE is extra focused and tends to make use of legit instruments and distant monitoring and administration, equivalent to AnyDesk, in an try and mix in with regular exercise.”
Securonix mentioned it uncovered an operational safety (OPSEC) blunder made by the menace actors that allowed it to observe clipboard exercise owing to the truth that the clipboard sharing characteristic of AnyDesk was enabled.
This made it doable to glean their Turkish origins and their on-line alias atseverse, which additionally corresponds to a profile on Steam and a Turkish hacking discussion board known as SpyHack.
“At all times chorus from exposing important servers on to the web,” the researchers cautioned. “With the case of RE#TURGENCE attackers had been instantly in a position to brute power their manner into the server from outdoors the principle community.”
