Recently, the Securonix threat research team discovered that a group of financially motivated Turkish hackers are attacking Microsoft SQL (MSSQL) servers worldwide and encrypting victims' files using the Mimic (N3WW4v3) ransomware.
These ongoing attacks, codenamed RE Turkey, are primarily targeting targets in the European Union, the United States, and Latin America.
The Securonix threat research team, which spotted the campaign, said: "Analysis shows that there are two main ways in which such attack campaigns can end: either access to the compromised host, or the final delivery of the ransomware payload. ”
From the initial access to the deployment of the Mimic Ransomware, the time period for the incident to occur is approximately one month. ”
Target: Configure an insecure Microsoft SQL server
According to reports, attackers mainly invade the exposed, unsecured MSSQL database server through brute force attacks. The XP cmdshell process of the system store is then used to generate a Windows command shell with the same security privileges as the SQL Server service account.
XP cmdshell is disabled by default because it is often used by malicious actors to escalate privileges, and starting the process often triggers a security audit tool.
In the next phase, the attackers deploy a highly obfuscated CobaltStrike payload using a series of PowerShell scripts and memory reflection techniques, with the ultimate goal of injecting it into the Windows-native process SNDvolexe.
The attackers also launch the AnyDesk Remote Desktop application as a service and then start collecting the credentials extracted using Mimikatz.
After scanning the local network and Windows domains with the Advanced Port Scanner, the attack spreads to other devices on the network and compromises domain controllers with previously stolen credentials.
Ransomware is dropped through Anydesk
The attackers then deployed the Mimic ransomware payload as a self-extracting archive via Anydesk, using a legitimate Everything application to search for files to encrypt, a technique that was first observed by security personnel in January 2023.
Mimic will delete the Everything binary that is used to assist in the encryption process. In our case, the mimic drops the program 'red25The exe removes all the necessary files so that the main ransomware payload can accomplish its goal," Securonix said.
Once the encryption process is complete, redThe exe process sends an encrypted payment notification that starts with "—important—notice—The text format of 'txt' is saved on the victim's C drive. ”
Security **bleepingcomputer found that the email (datenklause0@gmail. used in the Mimic ransomware notificationcom) is associated with the Phobos Ransomware. Phobos first emerged in 2018 as a ransomware-as-a-service (RaaS) derived from the Crysis ransomware family.
Securonix also launched another campaign against MSSQL servers last year (tracked by the codename DB Jammer), using the same brute-force initial access attack and deploying the Freeworld ransomware (an alias for the Mimic ransomware).
Reference Links: