Hackers are brute-forcing exposed MS SQL database servers to deliver Mimic ransomware, Securonix researchers are warning.
Mimic ransomware was first spotted in the wild in June 2022 and analyzed by Trend Micro researchers in January 2023.
It abuses the APIs of a Windows filename search engine called Everything to search for files to be encrypted or avoided, and has the ability to delete shadow copies, kill processes and services, unmount virtual drives, activate anti-shutdown and anti-kill measures, and more.
In this recent campaign, hackers managed to access compromised MS SQL servers via brute force attacks.
Once an admin account is compromised and they have access, they leverage the xp cmdshell procedure to execute commands.
Then they performed system enumeration, deployed a heavily obfuscated Cobalt Strike payload to execute additional code, as well as the AnyDesk remote access tool.
They proceeded to do system discovery, move laterally, and finally deploye the ransomware by using AnyDesk.
The hackers appear to be financially motivated and have been targeting US, EU and LATAM countries.
This latest campaign is very similar to the one Securonix researchers spotted last year, in which also targeted MS SQL servers and delivered a variant of the Mimic ransomware.
In another campaign documented by researchers in early 2020, attackers leveraged poorly secured MS SQL servers to install Vollar and Monero cryptocurrency miners.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Wed, 10 Jan 2024 15:13:12 +0000