Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Turkish Hackers Target Microsoft SQL Servers in Americas, Europe

Researchers at Securonix warn that Turkish threat actors are targeting organizations in the Americas and Europe with ransomware campaigns.

Ransomware Attack SEC complaint

Financially motivated threat actors believed to be operating out of Turkey have been caught targeting Microsoft SQL Server databases in attacks leading to the deployment of ransomware, cybersecurity firm Securonix warns in a new report.

The attack campaign, named RE#TURGENCE, appears aimed at organizations in the US, Europe, and Latin America, with the attacks ending either in a Mimic ransomware infection or in access to the compromised environment being sold to other threat actors.

For initial access, the threat actors brute-forced administrative credentials for the Microsoft SQL Server, followed by credential harvesting and the enabling of a function that allowed them to execute shell commands on the host.

The attackers were seen executing PowerShell scripts leading to a heavily obfuscated Cobalt Strike payload designed to be injected in a Windows process.

Next, the adversaries used Cobalt Strike to deploy the legitimate remote desktop software AnyDesk and shifted to using it exclusively for future interaction with the compromised systems.

Follow-up activities included the deployment of Mimikatz for credential harvesting, the use of Advanced Port Scanner for environment discovery, and the use of the Sysinternals utility psexec to move laterally to a domain controller, which allowed them to access other machines on the network.

After several more attempts at lateral movement, the threat actors then deployed the Mimic ransomware as a self-extracting archive. After the encryption process was completed, a ransom note was deployed in the form of a text file.

“In the end Mimic ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts,” Securonix said in its documentation of the threat.

Advertisement. Scroll to continue reading.

During the analyzed attack, the threat actors enabled the clipboard sharing feature of AnyDesk, which allowed the cybersecurity firm to monitor the contents pasted there, as the compromised host had clipboard monitoring enabled.

By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse” that appeared there, Securonix determined that at least one of the attackers appears to be located in Turkey.

Related: MySQL Servers, Docker Hosts Infected With DDoS Malware

Related: Turkish Cyberspies Targeting Netherlands

Related: Estes Express Lines Says Personal Data Stolen in Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.