Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware

We Keep you Connected

Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware

Microsoft’s database continues to attract cybercriminal attention; the nature of this wave’s threat group is unknown, with the attacks having been exposed only after a happenstance OpSec lag.
January 9, 2024
A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL (MSSQL) database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.
The modus operandi of RE#TURGENCE also culminates in another potential outcome: the illicit sale of access to the compromised servers, according to a Securonix report, out today, detailing the threat. Researchers there noted that the malicious actors, based in Turkey, thus appear to be financially motivated.
Beyond that, the nature of the attackers is unknown; Securonix's dedicated Threat Research team was able to glean critical insights into the current spate of attacks only after a significant operational security (OPSEC) lapse by the group.
That breach revealed extensive communications, negotiation tactics, compromised passwords, and a treasure trove of invaluable intelligence, researchers said.
Microsoft's proprietary relational database is a popular target among cyberattackers given its mission-critical nature, and wide deployment across a number of sectors, including enterprises, critical infrastructure, and government.
Securonix was able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp_cmdshell function inherent in these servers, which enables administrative capabilities.
By exploiting this foothold, threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses, according to Securonix.
The threat actors then deploy a suite of tools to entrench their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.
For its part, the Mimic ransomware exploits the legitimate "Everything" app by VoidTools to locate and encrypt target files. The Mimic variant used in the attacks, which emerged a year ago, employs "red25.exe" as its dropper, enabling the execution of essential files for ransomware completion.
"In the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts," the Securonix report noted.
MSSQL databases are often misconfigured, which also contributes to their popularity amongst cybercriminals. And indeed, a July 2023 report from Palo Alto's Unit 42 revealed a staggering 174% increase in malicious attacks targeting vulnerable SQL servers compared to the previous year.
To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.
Beyond that, "limiting usage or disabling the xp_cmdshell procedure is recommended because the attackers relied heavily on it for remote code execution," says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix. "Where this is a well-known attack technique, it is important to follow the best practices for attack surface reduction related to its use."
The firm's report also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.
"Aside from limiting exposure, it is important for organizations to monitor their database servers and ensure that enhanced telemetry is available, as part of SIEM/SOAR, for example, to be able to detect and prevent such attacks on a timely basis," Kolesnikov said.
The researchers have previously warned of "DB#JAMMER" attacks targeting vulnerable MSSQL database servers with external connections and weak account credentials that dropped another version of the Mimic ransomware, known as FreeWorld.
Kolesnikov explained the RE#TURGENCE threat campaign differs from that and other previous MSSQL database server-targeting attacks, however.
"Specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling," he said. "RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity."
Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
2023 Snyk AI-Generated Code Security Report
2023 Software Supply Chain Attack Report
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.