Securonix, a cybersecurity firm, has issued a warning detailing a series of attacks targeting Microsoft SQL Server databases. These attacks, known as RE#TURGENCE, are believed to originate from financially driven threat actors based in Turkey. Their primary focus seems to be organizations across the US, Europe, and Latin America.
The modus operandi of this campaign involves initially brute-forcing administrative credentials for Microsoft SQL Server, followed by credential harvesting and activation of a function enabling the execution of shell commands on the host system.
The attackers then proceeded to execute heavily obfuscated PowerShell scripts, leading to the deployment of a Cobalt Strike payload. This payload was designed for injection into a Windows process.
Following this, the adversaries used Cobalt Strike to install AnyDesk, a legitimate remote desktop software, which they exclusively utilized for further interactions with compromised systems.
Their subsequent actions encompassed deploying Mimikatz for credential harvesting, employing Advanced Port Scanner for environment discovery, and utilizing the Sysinternals utility psexec to laterally move to a domain controller, thereby gaining access to other machines on the network.
After multiple attempts at lateral movement, the threat actors deployed the Mimic ransomware through a self-extracting archive. Once the encryption process was finalized, they posted a ransom note in the form of a text file.
Securonix, in its documentation of the threat, noted that during the attack, the threat actors enabled clipboard sharing via AnyDesk. This allowed the cybersecurity firm to monitor the pasted content, which was in Turkish. Investigation into the handle “atseverse” led Securonix to believe that at least one of the attackers is located in Turkey.
Interesting Article : Alarming ! : Bosch Automotive Production Lines On Hacker’s Target