A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.
The modus operandi of RE#TURGENCE also culminates in another potential outcome: the illicit sale of access to the compromised servers, according to a Securonix report, out today, detailing the threat.
Researchers there noted that the malicious actors, based in Turkey, thus appear to be financially motivated.
Beyond that, the nature of the attackers is unknown; Securonix's dedicated Threat Research team was able to glean critical insights into the current spate of attacks only after a significant operational security lapse by the group.
That breach revealed extensive communications, negotiation tactics, compromised passwords, and a treasure trove of invaluable intelligence, researchers said.
Anatomy of Mimic Ransomware Attacks on MSSQL Servers Microsoft's proprietary relational database is a popular target among cyberattackers given its mission-critical nature, and wide deployment across a number of sectors, including enterprises, critical infrastructure, and government.
Securonix was able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp cmdshell function inherent in these servers, which enables administrative capabilities.
By exploiting this foothold, threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses, according to Securonix.
The threat actors then deploy a suite of tools to entrench their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.
Avoiding MSSQL Database Compromise MSSQL databases are often misconfigured, which also contributes to their popularity amongst cybercriminals.
A July 2023 report from Palo Alto's Unit 42 revealed a staggering 174% increase in malicious attacks targeting vulnerable SQL servers compared to the previous year.
To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.
The firm's report also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.
Kolesnikov explained the RE#TURGENCE threat campaign differs from that and other previous MSSQL database server-targeting attacks, however.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 09 Jan 2024 18:45:04 +0000