Poorly secured Microsoft SQL servers within the US, EU, and LATAM are being attacked by financially motivated Turkish menace actors in an ongoing marketing campaign to ship MIMIC ransomware payloads, in accordance with a Securonix analysis.
The monetary cyberthreat marketing campaign named RE#TURGENCE good points preliminary entry into sufferer techniques by concentrating on and exploiting insecurely configured MSSQL database servers, an an infection approach noticed earlier this 12 months with the DB#JAMMER marketing campaign that subsequently delivered Cobalt Strike and FreeWorld ransomware.
“The analyzed menace marketing campaign seems to finish in one in all two methods, both the promoting of ‘entry’ to the compromised host, or the last word supply of ransomware payloads,” Securonix mentioned in a weblog put up. “The timeline for the occasions was about one month from preliminary entry to the deployment of MIMIC ransomware on the sufferer area.”
Securonix was in a position to uncover the small print of the marketing campaign because of a significant OPSEC failure by the attackers. “Because the assault unfolded, we had been in a position to monitor the attackers and the system they had been utilizing intently by way of their very own Distant Monitoring and Administration (RMM) software program,” Securonix added.
Preliminary entry by way of brute power
The RE#TURGENCE menace actions Securomix was monitoring initially had the menace actors brute power their manner into the sufferer MSSQL server and exploit the xp_cmdshell process, which permits execution of working system instructions from throughout the SQL server.
“Sometimes, this process is disabled by default and shouldn’t be enabled, particularly on publicly uncovered servers,” Securonix mentioned.
