As part of an ongoing financially-motivated operation, weakly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin America (LATAM) regions for initial access.
In a technical report shared with, Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said, "The threat actions analyzed seem to end in one of two ways, either by selling 'access' to compromised hosts Either the eventual delivery ofRansomwarePayload."
This action is related to theTurkish hackerrelated to, and wascyber securityThe company is named RE#TURGENCE.
The initial access to the server involves a brute force attack, which then utilizes thexp_cmdshellConfiguration options run on damaged hostsshell command. This behavior is similar to a previous operation called DB#JAMMER, which came to light in September 2023.
This stage provides a mechanism for retrieving aPowerShell scriptsPaving the way, the script is responsible for extracting a fuzzyCobalt StrikeBeacon payload.
Then after usePenetration ToolkitDownload the AnyDesk Remote Desktop application from a mounted network share to access the machine and download other tools such asMimikatzto collect credentials andAdvanced Port ScannerConduct reconnaissance.
MS SQL Server
Lateral movement can be achieved by executing a program on a remote Windows host through a legitimate system administration utility called PsExec.
The attack chain culminated in the deployment of the Mimic ransomware, a variant of which was also used in the DB#JAMMER operation.
Kolesnikov said, "The indicators used in these two operations and the malicious TTP (tactics, techniques and processes) are completely different, so the likelihood that these are two completely different operations is very high."
"More specifically, while the initial penetration methods are similar, DB#JAMMER is slightly more sophisticated and uses tunneling. re#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, to integrate into normal activities."
Securonix said they discovered a threat actor committing aOperational safetySex (OPSEC) failures, which allowed them to monitor clipboard activity because AnyDesk's clipboard sharing feature was enabled.
This allows them to learn that they are Turkish and that their online alias is aseverse, which also corresponds to a profile on Steam and a profile namedSpyHackTurkishhackerForum.
"Always avoid exposing critical servers directly to the Internet," the researchers caution." In the case of RE#TURGENCE, an attacker was able to gain access to the server with a direct brute force attack from outside the main network."
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/turkish-hackers-exploiting-ms-sql-servers.html
