A group of financially motivated Turkish hackers targets Microsoft SQL servers worldwide to encrypt the victims' files with Mimic ransomware.
These ongoing attacks are tracked as RE#TURGENCE and have been directed at targets in the European Union, the United States, and Latin America.
The threat actors compromised MSSQL database servers exposed online in brute force attacks.
They used the system-stored xp cmdshell procedure, which allowed them to spawn a Windows command shell with the same security rights as the SQL Server service account.
Xp cmdshell is disabled by default because malicious actors often use it to elevate their privileges, and its use will often trigger security audit tools.
In the next stage, the attackers deployed a heavily obfuscated Cobalt Strike payload using a sequence of PowerShell scripts and in-memory reflection techniques with the end goal of injecting it in the inject into the Windows-native process SndVol.
They also downloaded and launched the AnyDesk remote desktop application as a service and then started collecting clear text credentials extracted using Mimikatz.
After scanning the local network and Windows domain using the Advanced Port Scanner utility, they hacked other devices on the network and, using credentials stolen previously, compromised the domain controller.
They then deployed the Mimic ransomware payloads as self-extracting archives via AnyDesk, searching for files to encrypt using the legitimate Everything app, a technique first observed in January 2023.
As BleepingComputer discovered, the email used in the ransom note also links this threat group to Phobos ransomware attacks.
Phobos first surfaced in 2018 as a ransomware-as-a-service derived from the Crysis ransomware family.
Securonix exposed another campaign targeting MSSQL servers last year using the same brute force initial access attack vector and deploying FreeWorld ransomware.
New Mimic ransomware abuses 'Everything' Windows search tool.
Decryptor for Babuk ransomware variant released after hacker arrested.
Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach.
Toronto Zoo: Ransomware attack had no impact on animal wellbeing.
US mortgage lender loanDepot confirms ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Jan 2024 18:52:44 +0000