Fraud Management & Cybercrime
,
Ransomware
Financially Motivated Actors Targeting US, EU and LATAM Countries
Financially motivated Turkish hackers are targeting Microsoft SQL servers in the United States, Europe and Latin America in hacking that ultimately ends with deployment of Mimic ransomware or the sale of access to infected hosts on criminal online markets.
See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Researchers from Securonix dubbed the campaign Re#Turgence and said the hackers brute-force their way into the victim server by guessing administrative passwords.
The campaign is similar to another campaign spotted by Securonix in 2023 dubbed Db#Jammer that also relies on brute force attacks to access exposed Microsoft SQL services.
Trend Micro discovered Mimic ransomware in January 2023 and gave it the name based on string it found in the ransomware binaries. Mimic operators use “Everything“, a legitimate application designed by Voidtools to index filenames to find files targeted for malicious encryption. The ransomware payload in this campaign has the name red25.exe
.
Mimic ransomware appears to be based on source code developed by now-defunct Russian-speaking Conti ransomware group and leaked online in March 2022 (Conti’s Legacy: What’s Become of Ransomware’s Most Wanted?).
Securonix researchers said they were able to monitor the Re#Turgence attackers through an OPSEC failure that exposed their remote monitoring and management software messages, some of them written in Turkish. The messages revealed the handle of one of the hackers, “atseverse,” which also appears on a hacking website called spyhackerz.
Once Re#Turgence hackers successfully guess an admin password, they call a Windows command shell through the xp_cmdshell
system – a function that Securonix said typically shouldn’t be enabled. It allows users to issue operating system commands from within the SQL Server environment. This feature is designed to enable system administrators and advanced users to perform tasks that go beyond the capabilities of Transact-SQL, the standard query language used with SQL Server.
Hackers download a “heavily obfuscated” Cobalt Strike payload injected into a Windows-native process – in this case, the executable responsible for controlling computer volume settings. They use the post-exploitation toolkit to get AnyDesk for remote control from a shared network. They also download other tools, including Mimikatz to grab passwords and Advanced Port Scanner for exploring.
Securonix observed lateral movement occurring after a few days, using the PsExec
telnet replacement.