Financially motivated threat actors believed to be operating out of Turkey have been caught targeting Microsoft SQL Server databases in attacks leading to the deployment of ransomware, cybersecurity firm Securonix warns in a new report.
The attack campaign, named RE#TURGENCE, appears aimed at organizations in the US, Europe, and Latin America, with the attacks ending either in a Mimic ransomware infection or in access to the compromised environment being sold to other threat actors.
For initial access, the threat actors brute-forced administrative credentials for the Microsoft SQL Server, followed by credential harvesting and the enabling of a function that allowed them to execute shell commands on the host.
The attackers were seen executing PowerShell scripts leading to a heavily obfuscated Cobalt Strike payload designed to be injected in a Windows process.
Next, the adversaries used Cobalt Strike to deploy the legitimate remote desktop software AnyDesk and shifted to using it exclusively for future interaction with the compromised systems.
Follow-up activities included the deployment of Mimikatz for credential harvesting, the use of Advanced Port Scanner for environment discovery, and the use of the Sysinternals utility psexec to move laterally to a domain controller, which allowed them to access other machines on the network.
After several more attempts at lateral movement, the threat actors then deployed the Mimic ransomware as a self-extracting archive. After the encryption process was completed, a ransom note was deployed in the form of a text file.
“In the end Mimic ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts,” Securonix said in its documentation of the threat.
During the analyzed attack, the threat actors enabled the clipboard sharing feature of AnyDesk, which allowed the cybersecurity firm to monitor the contents pasted there, as the compromised host had clipboard monitoring enabled.
By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse” that appeared there, Securonix determined that at least one of the attackers appears to be located in Turkey.