In a sweeping cyber offensive, Turkish hackers have unleashed a ransomware campaign, dubbed RE#TURGENCE, targeting Microsoft SQL Server databases across the United States, European Union, and Latin America. The financially motivated attackers are exploiting weak configurations to inject the MIMIC ransomware or sell compromised server access to the highest bidder.
The Securonix Threat Research team has meticulously documented this campaign’s modus operandi, revealing a concerning pattern of attacks on insecure MSSQL servers. The team’s findings underscore the urgent need for strengthened server security to thwart such incursions.
The Infiltration Playbook
The attackers initiate their scheme by brute-forcing administrative credentials on Microsoft SQL Servers, exploiting the controversial xp_cmdshell configuration option, a procedure known for its potential misuse. Once inside, they deploy a series of sophisticated tools and techniques to entrench themselves within the victim’s infrastructure.
A PowerShell script serves as the delivery mechanism for a heavily obfuscated Cobalt Strike payload, which is then injected into benign Windows processes like SndVol.exe for stealthy execution. The threat actors also install the remote desktop application AnyDesk, configuring it as a service for persistent access.
Credential harvesting is a critical step in the campaign, with the hackers employing Mimikatz to siphon off passwords. They further employ the Advanced Port Scanner utility for reconnaissance and PsExec for lateral movement, culminating in the compromise of domain controllers.
The final act sees the manual deployment of the MIMIC ransomware, starting with the SQL server, then moving on to the domain controller and other domain-joined hosts. Files are encrypted, and a ransom note is dropped, demanding payment in exchange for the decryption key.
The Ransomware Payload
MIMIC ransomware, first identified in January 2023, is a formidable threat. It leverages the Everything app, a legitimate Windows search tool, to facilitate file encryption. The ransomware meticulously deletes binaries used in the encryption process, leaving behind an ominous text file ransom note on the victim’s C:\ drive.
The campaign’s reach and sophistication are not to be underestimated. The attackers’ operational security (OPSEC) failure, which led to the exposure of clipboard content via AnyDesk, revealed communications in Turkish and the online alias “atseverse,” pointing to at least one perpetrator’s Turkish origin.
Recommendations and Mitigations
The Securonix team and cybersecurity experts strongly advise against exposing critical servers directly to the internet. Instead, the use of VPNs or more secure infrastructure is recommended. Additionally, the xp_cmdshell procedure should be disabled by default on MSSQL servers to prevent such attacks.
A Global Concern
The RE#TURGENCE campaign stands as a stark reminder of the evolving threat landscape. As noted by CSO Online, “The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads.” This dual-threat underscores the need for vigilance and proactive security measures.
Hacker News echoes this sentiment, highlighting the criticality of refraining from exposing critical servers to the internet. Further insights can be gleaned from BleepingComputer, which details the ransomware’s encryption/payment notice and its link to the Phobos ransomware, a derivative of Crysis ransomware.
As the cyber community continues to monitor and respond to these threats, it is incumbent upon organizations to bolster their defenses and remain one step ahead of malicious actors. The RE#TURGENCE campaign is not only a wake-up call but also a blueprint for understanding and combating the tactics of modern cyber adversaries.