CyberSecurityBoard
Sponsor Register Login

Hackers Exploiting Poorly Unsecured MS SQL Servers

An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload. Turkish threat actors with financial motivations seem to be aiming after the US, EU, and LATAM nations.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
Researchers used the xp cmdshell procedure to brute force access to the victim server and execute commands on the host.
This procedure should not be enabled; it is usually disabled by default.
The campaign's initial access phase is comparable to that of DB#JAMMER, which similarly used brute forcing administrative credentials to gain direct MSSQL access.
Following their successful execution of code via the xp cmdshell method, the attackers ran the command from the sqlservr.
This command helps to execute a PowerShell-encoded command, which is then decoded.
It was mostly focused on the DLL imports and the Cobalt Strike payload, which was made up of useless comment blocks and hundreds of lines of combined variables.
With Cobalt Strike serving as the primary point of code execution, the attackers opted for a more interactive strategy.
The attackers mounted and accessed a network share, from which they downloaded the AnyDesk binaries.
PsExec is a legitimate system administration tool that can execute programs on remote Windows hosts and is used for performing lateral movement.
When the Mimic ransomware is finally delivered, the attack chain comes to an end.
In January 2023, mimic was first discovered and became popular.
Mimic will remove all binaries that were utilized to facilitate the encryption procedure.
The encryption/payment notice that was saved on the victim's device was executed by the.
Exe process once the encryption operation was finished.
It is always best to avoid leaving important servers open to the internet.
Attackers were able to brute force their way into the server directly from outside the main network in the RE#TURGENCE scenario.
It is recommended that access to these resources should be made possible via a VPN or other even more secure infrastructure.
Try Kelltron's cost-effective penetration testing services for free to assess and evaluate the security posture of digital systems.


This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 10 Jan 2024 10:55:22 +0000


Cyber News related to Hackers Exploiting Poorly Unsecured MS SQL Servers

The Cyber Risks Of Using Unsecured Wi-Fi Networks And How To Avoid Them - In the hustle and bustle of our daily lives, public Wi-Fi has become a lifeline for many. Whether in coffee shops, airports, or local hangouts, the convenience of free Wi-Fi is undeniable. A recent study by NordVPN draws light on a concerning trend - ...
2 years ago Cysecurity.news
SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups - File Indicators of Compromise (IoCs) SHA-1FilenameDetectionDescriptionF5B60A8EAD96703080E73A1F79C3E70FF44DF271spinstall0.aspxMSIL/Webshell.JSWebshell deployed via SharePoint vulnerabilities Network Indicators of Compromise (IoCs) IP ...
7 months ago Cybersecuritynews.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
3 years ago Hackread.com
Hackers Attacking Linux SSH Servers to Deploy Scanner Malware - Hackers often target Linux SSH servers due to their widespread use in hosting critical services, and the following loopholes make them vulnerable, providing opportunities to hackers for unauthorized access and potential exploitation:-. Cybersecurity ...
2 years ago Gbhackers.com
Poorly secured PostgreSQL, MySQL servers targeted by ransomware bot - Users exposing poorly secured PostgreSQL and MySQL servers online are in danger of getting their databases wiped by a ransomware bot, Border0 researchers are warning. The attackers asks for a small sum to return / not publish the data, but those who ...
2 years ago Helpnetsecurity.com
Echoes of SolarWinds: JetBrains TeamCity servers under attack by Russia-backed hackers - The SolarWinds hackers are infiltrating JetBrains TeamCity servers via a critical vulnerability enabling authorization bypass and arbitrary code execution, government officials warn. Russian Foreign Intelligence Service-backed threat actor CozyBear ...
2 years ago Packetstormsecurity.com CVE-2023-42793
Attackers Targeting Poorly Managed Linux SSH Servers - In recent times, Linux SSH servers have become a prime target for attackers aiming to compromise security and exploit vulnerabilities for malicious activities. This article delves into the growing concern surrounding poorly secured Linux SSH servers, ...
2 years ago Securityboulevard.com
Hackers are targeting exposed MS SQL servers with Mimic ransomware - Hackers are brute-forcing exposed MS SQL database servers to deliver Mimic ransomware, Securonix researchers are warning. Mimic ransomware was first spotted in the wild in June 2022 and analyzed by Trend Micro researchers in January 2023. It abuses ...
2 years ago Helpnetsecurity.com
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
2 years ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Microsoft Defender Adds protection to Detect unsecured Wi-Fi connections - Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Recognizing these risks, Microsoft Defender has introduced features designed to protect users from ...
1 year ago Cybersecuritynews.com
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said. The hackers, dubbed Green Nailao, deployed ShadowPad ...
1 year ago Therecord.media
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
2 years ago Bleepingcomputer.com CVE-2023-42793 Andariel APT29
Careless oversight of Linux SSH servers draws cryptominers, DDoS bots - Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found. According to a report by AhnLab released this week, bad password ...
2 years ago Therecord.media
Hackers Exploiting MS-SQL Servers & Deploy Ammyy Admin for Remote Access - Security researchers have identified that threat actors are specifically exploiting poorly secured MS-SQL instances to install Ammyy Admin, a legitimate remote desktop software that can be misused for unauthorized access, alongside a privilege ...
10 months ago Cybersecuritynews.com
New HeadCrab Malware Hijacks 1,200 Redis Servers - Since September 2021, over a thousand vulnerable Redis servers online have been infected by a stealthy malware dubbed "HeadCrab", designed to build a botnet that mines Monero cryptocurrency. At least 1,200 servers have been infected by the HeadCrab ...
3 years ago Heimdalsecurity.com
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
2 years ago Bbc.com
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
2 years ago Bleepingcomputer.com
Hacker Conversations: Chris Evans, Hacker and CISO - Chris Evans is CISO and chief hacking officer at HackerOne. SecurityWeek's Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their ...
1 year ago Securityweek.com Silence
Hackers Exploiting Poorly Unsecured MS SQL Servers - An ongoing threat campaign dubbed RE#TURGENCE has been observed, which involves targeting MS SQL servers in an attempt to deliver a MIMIC ransomware payload. Turkish threat actors with financial motivations seem to be aiming after the US, EU, and ...
2 years ago Cybersecuritynews.com
Hackers breach US govt agencies using Adobe ColdFusion exploit - The U.S. Cybersecurity and Infrastructure Security Agency is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows ...
2 years ago Bleepingcomputer.com CVE-2023-26360
Why Have Big Cybersecurity Hacks Surged in 2023? - Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc., totaling almost $500 million in payouts. In just the past few months, hackers have ...
2 years ago Bloomberg.com LockBit
Hackers Compromised Over 1,200 Redis Database Servers - A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021. This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand ...
3 years ago Cybersecuritynews.com
HellCat hackers go on a worldwide Jira hacking spree - The Swiss company did not provide technical details about the breach but targeting the Jira ticketing system has become a common attack method for the HellCat hackers. Rey, a member of the HellCat hacking group, told BleepingComputer that they stole ...
11 months ago Bleepingcomputer.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
2 years ago Bleepingcomputer.com CVE-2023-23397 CVE-2023-38831 CVE-2021-40444 APT28
Hackers Exploiting MS-SQL Severs To Deploy Mallox Ransomware - Information such as financial records, customer information, and intellectual property that may be sold on the black web markets is what MS-SQL servers commonly store. A hacked MS-SQL server can present an entry point into the organization's network, ...
1 year ago Cybersecuritynews.com Mallox

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)