Financially motivated threat actors have been discovered engaging in a targeted attack campaign, dubbed RE#TURGENCE, aimed at compromising Microsoft SQL Server databases. This sophisticated campaign has primarily focused on organizations in the United States, Europe, and Latin America, with the end goal being the deployment of ransomware or the sale of compromised access to other threat actors.
Initial Access
To gain initial access, the threat actors employed brute-force tactics to bypass administrative credentials for the Microsoft SQL Server. Once successful, they moved on to credential harvesting and enabled a function that allowed them to execute shell commands on the host.
Cobalt Strike Payload
The attackers then executed PowerShell scripts, leading to the deployment of a heavily obfuscated Cobalt Strike payload. This payload was carefully designed to be injected into a Windows process, granting the threat actors enhanced control and stealth capabilities.
Deployment of AnyDesk
As part of their strategy, the threat actors utilized Cobalt Strike to install the legitimate remote desktop software, AnyDesk, onto compromised systems. This shift allowed them to conduct future interactions exclusively through AnyDesk, potentially evading detection.
Follow-up Activities
Following the initial compromise, the attackers employed various tools and techniques to further infiltrate the targeted environment. These included deploying Mimikatz for credential harvesting, leveraging Advanced Port Scanner for environment discovery, and utilizing the Sysinternals utility psexec for lateral movement to a domain controller.
Deployment of Mimic Ransomware
After several attempts at lateral movement, the threat actors proceeded to deploy the Mimic ransomware. This was accomplished through the execution of a self-extracting archive on the MSSQL server, domain controller, and other domain-joined hosts. The ransomware aimed to encrypt critical data, holding it hostage until a ransom was paid.
Monitoring the Attack
During the investigation of this attack, security experts were able to gain insights into the actions of the threat actors. Notably, the attackers enabled the clipboard sharing feature of AnyDesk, inadvertently allowing the cybersecurity firm Securonix to monitor the contents pasted there.
Identification of Turkish Involvement
By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse,” Securonix determined that at least one of the attackers appears to be located in Turkey. This attribution sheds light on the origin and potential motivations of the threat actors behind the RE#TURGENCE campaign.
The resurgence campaign orchestrated by financially motivated threat actors targeting Microsoft SQL Server databases has highlighted the increasing sophistication and persistence of cybercriminals. Organizations must remain vigilant in securing their SQL Server environments, employing strong access controls, regularly updating software and patches, and implementing robust monitoring solutions. Collaborative efforts between cybersecurity firms and law enforcement agencies are essential to better understanding these evolving threats and mitigating future attacks on critical infrastructure.