CyberSecurityBoard
Sponsor Register Login

Hackers Exploiting Poorly Unsecured MS SQL Servers

An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload. Turkish threat actors with financial motivations seem to be aiming after the US, EU, and LATAM nations.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
Researchers used the xp cmdshell procedure to brute force access to the victim server and execute commands on the host.
This procedure should not be enabled; it is usually disabled by default.
The campaign's initial access phase is comparable to that of DB#JAMMER, which similarly used brute forcing administrative credentials to gain direct MSSQL access.
Following their successful execution of code via the xp cmdshell method, the attackers ran the command from the sqlservr.
This command helps to execute a PowerShell-encoded command, which is then decoded.
It was mostly focused on the DLL imports and the Cobalt Strike payload, which was made up of useless comment blocks and hundreds of lines of combined variables.
With Cobalt Strike serving as the primary point of code execution, the attackers opted for a more interactive strategy.
The attackers mounted and accessed a network share, from which they downloaded the AnyDesk binaries.
PsExec is a legitimate system administration tool that can execute programs on remote Windows hosts and is used for performing lateral movement.
When the Mimic ransomware is finally delivered, the attack chain comes to an end.
In January 2023, mimic was first discovered and became popular.
Mimic will remove all binaries that were utilized to facilitate the encryption procedure.
The encryption/payment notice that was saved on the victim's device was executed by the.
Exe process once the encryption operation was finished.
It is always best to avoid leaving important servers open to the internet.
Attackers were able to brute force their way into the server directly from outside the main network in the RE#TURGENCE scenario.
It is recommended that access to these resources should be made possible via a VPN or other even more secure infrastructure.
Try Kelltron's cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.


This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 10 Jan 2024 10:55:22 +0000


Cyber News related to Hackers Exploiting Poorly Unsecured MS SQL Servers

The Cyber Risks Of Using Unsecured Wi-Fi Networks And How To Avoid Them - In the hustle and bustle of our daily lives, public Wi-Fi has become a lifeline for many. Whether in coffee shops, airports, or local hangouts, the convenience of free Wi-Fi is undeniable. A recent study by NordVPN draws light on a concerning trend - ...
8 months ago Cysecurity.news
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
11 months ago Bleepingcomputer.com
Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
10 months ago Packetstormsecurity.com
Hackers Attacking Linux SSH Servers to Deploy Scanner Malware - Hackers often target Linux SSH servers due to their widespread use in hosting critical services, and the following loopholes make them vulnerable, providing opportunities to hackers for unauthorized access and potential exploitation:-. Cybersecurity ...
10 months ago Gbhackers.com
Poorly secured PostgreSQL, MySQL servers targeted by ransomware bot - Users exposing poorly secured PostgreSQL and MySQL servers online are in danger of getting their databases wiped by a ransomware bot, Border0 researchers are warning. The attackers asks for a small sum to return / not publish the data, but those who ...
9 months ago Helpnetsecurity.com
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
10 months ago Bleepingcomputer.com
Hackers are targeting exposed MS SQL servers with Mimic ransomware - Hackers are brute-forcing exposed MS SQL database servers to deliver Mimic ransomware, Securonix researchers are warning. Mimic ransomware was first spotted in the wild in June 2022 and analyzed by Trend Micro researchers in January 2023. It abuses ...
9 months ago Helpnetsecurity.com
Attackers Targeting Poorly Managed Linux SSH Servers - In recent times, Linux SSH servers have become a prime target for attackers aiming to compromise security and exploit vulnerabilities for malicious activities. This article delves into the growing concern surrounding poorly secured Linux SSH servers, ...
9 months ago Securityboulevard.com
Microsoft Defender Adds protection to Detect unsecured Wi-Fi connections - Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Recognizing these risks, Microsoft Defender has introduced features designed to protect users from ...
1 month ago Cybersecuritynews.com
Hackers breach US govt agencies using Adobe ColdFusion exploit - The U.S. Cybersecurity and Infrastructure Security Agency is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows ...
11 months ago Bleepingcomputer.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
11 months ago Bleepingcomputer.com
Why Have Big Cybersecurity Hacks Surged in 2023? - Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc., totaling almost $500 million in payouts. In just the past few months, hackers have ...
10 months ago Bloomberg.com
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
11 months ago Bbc.com
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
11 months ago Bleepingcomputer.com
Hacker Conversations: Chris Evans, Hacker and CISO - Chris Evans is CISO and chief hacking officer at HackerOne. SecurityWeek's Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their ...
4 months ago Securityweek.com
Careless oversight of Linux SSH servers draws cryptominers, DDoS bots - Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found. According to a report by AhnLab released this week, bad password ...
10 months ago Therecord.media
Hackers Exploiting MS-SQL Severs To Deploy Mallox Ransomware - Information such as financial records, customer information, and intellectual property that may be sold on the black web markets is what MS-SQL servers commonly store. A hacked MS-SQL server can present an entry point into the organization's network, ...
5 months ago Cybersecuritynews.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
11 months ago Bleepingcomputer.com
Hackers Exploiting Poorly Unsecured MS SQL Servers - An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload. Turkish threat actors with financial motivations seem to be aiming after the US, EU, and ...
9 months ago Cybersecuritynews.com
The Unlikely Romance of Hackers and Government Suitors - The annual Hack the Capitol event brings together a diverse group of scientists, hackers, and policymakers to educate congressional staffers, scholars, and the press about the most critical cybersecurity challenges facing our nation. Hack the Capitol ...
10 months ago Darkreading.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
Hackers Fix Polish Train Glitch, Face Legal Pushback by the Manufacturer - In a recent cybersecurity incident, three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator. The narrative took a twist when accusations ...
10 months ago Hackread.com
Hackers breach Australian court hearing database - The court system for Australia's second-most-populated state was hit by a ransomware attack that potentially exposed sensitive recordings of some court hearings. Court Services Victoria, an administrative body that supports the operations of the ...
10 months ago Therecord.media
Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits - The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. The flaw allows remote code execution and was fixed in late October. Apache's ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)