Financially motivated threat actors believed to be operating out of Turkey have been caught targeting Microsoft SQL Server databases in attacks leading to the deployment of ransomware, cybersecurity firm Securonix warns in a new report.
The attack campaign appears aimed at organizations in the US, Europe, and Latin America, with the attacks ending either in a Mimic ransomware infection or in access to the compromised environment being sold to other threat actors.
For initial access, the threat actors brute-forced administrative credentials for the Microsoft SQL Server, followed by credential harvesting and the enabling of a function that allowed them them to execute shell commands on the host.
The attackers were seen executing PowerShell scripts leading to a heavily obfuscated Cobalt Strike payload designed to be injected in a Windows process.
Next, the adversaries used Cobalt Strike to deploy the legitimate remote desktop software AnyDesk and shifted to using it exclusively for future interaction with the compromised systems.
Follow-up activities included the deployment of Mimikatz for credential harvesting, the use of Advanced Port Scanner for environment discovery, and the use of the Sysinternals utility psexec to move laterally to a domain controller, which allowed them to access other machines on the network.
After several more attempts at lateral movement, the threat actors then deployed the Mimic ransomware as a self-extracting archive.
After the encryption process was completed, a ransom note was deployed in the form of a text file.
During the analyzed attack, the threat actors enabled the clipboard sharing feature of AnyDesk, which allowed the cybersecurity firm to monitor the contents pasted there, as the compromised host had clipboard monitoring enabled.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 09 Jan 2024 16:13:45 +0000