Poorly secured Microsoft SQL servers in the US, EU, and LATAM are being attacked by financially motivated Turkish threat actors in an ongoing campaign to deliver MIMIC ransomware payloads, according to a Securonix research.
The financial cyberthreat campaign named RE#TURGENCE gains initial access into victim systems by targeting and exploiting insecurely configured MSSQL database servers, an infection technique observed earlier this year with the DB#JAMMER campaign that subsequently delivered Cobalt Strike and FreeWorld ransomware.
“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix said in a blog post. “The timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain.”
Securonix was able to uncover the details of the campaign due to a major OPSEC failure by the attackers. “As the attack unfolded, we were able to monitor the attackers and the system they were using closely through their own Remote Monitoring and Management (RMM) software,” Securonix added.
Initial access through brute force
The RE#TURGENCE threat activities Securomix was tracking initially had the threat actors brute force their way into the victim MSSQL server and exploit the xp_cmdshell procedure, which allows execution of operating system commands from within the SQL server.
“Typically, this procedure is disabled by default and should not be enabled, especially on publicly exposed servers,” Securonix said.