Financially Motivated Turkish Threat Actors Target Microsoft SQL Server Databases with RE#TURGENCE Campaign

Financially motivated threat actors have been discovered engaging in a targeted attack campaign, dubbed RE#TURGENCE, aimed at compromising Microsoft SQL Server databases. This sophisticated campaign has primarily focused on organizations in the United States, Europe, and Latin America, with the end goal being the deployment of ransomware or the sale of compromised access to other threat actors.

Initial Access

To gain initial access, the threat actors employed brute-force tactics to bypass administrative credentials for the Microsoft SQL Server. Once successful, they moved on to credential harvesting and enabled a function that allowed them to execute shell commands on the host.

Cobalt Strike Payload

The attackers then executed PowerShell scripts, leading to the deployment of a heavily obfuscated Cobalt Strike payload. This payload was carefully designed to be injected into a Windows process, granting the threat actors enhanced control and stealth capabilities.

Deployment of AnyDesk

As part of their strategy, the threat actors utilized Cobalt Strike to install the legitimate remote desktop software, AnyDesk, onto compromised systems. This shift allowed them to conduct future interactions exclusively through AnyDesk, potentially evading detection.

Follow-up Activities

Following the initial compromise, the attackers employed various tools and techniques to further infiltrate the targeted environment. These included deploying Mimikatz for credential harvesting, leveraging Advanced Port Scanner for environment discovery, and utilizing the Sysinternals utility psexec for lateral movement to a domain controller.

Deployment of Mimic Ransomware

After several attempts at lateral movement, the threat actors proceeded to deploy the Mimic ransomware. This was accomplished through the execution of a self-extracting archive on the MSSQL server, domain controller, and other domain-joined hosts. The ransomware aimed to encrypt critical data, holding it hostage until a ransom was paid.

Monitoring the Attack

During the investigation of this attack, security experts were able to gain insights into the actions of the threat actors. Notably, the attackers enabled the clipboard sharing feature of AnyDesk, inadvertently allowing the cybersecurity firm Securonix to monitor the contents pasted there.

Identification of Turkish Involvement

By analyzing the pasted content, which was in Turkish, and investigating the handle “atseverse,” Securonix determined that at least one of the attackers appears to be located in Turkey. This attribution sheds light on the origin and potential motivations of the threat actors behind the RE#TURGENCE campaign.

The resurgence campaign orchestrated by financially motivated threat actors targeting Microsoft SQL Server databases has highlighted the increasing sophistication and persistence of cybercriminals. Organizations must remain vigilant in securing their SQL Server environments, employing strong access controls, regularly updating software and patches, and implementing robust monitoring solutions. Collaborative efforts between cybersecurity firms and law enforcement agencies are essential to better understanding these evolving threats and mitigating future attacks on critical infrastructure.

Explore more

How Does Wix-PayPal Partnership Benefit U.S. Merchants?

Merchants continually seek innovations to streamline operations and boost customer satisfaction. An exciting development has emerged from the partnership between Wix and PayPal, promising impactful enhancements for U.S. merchants. This collaboration might just be what it takes to redefine success in today’s competitive digital payment landscape. Why This Story Matters In an era where digital transactions dominate, U.S. merchants face

Trend Analysis: AI in Contact Center Solutions

Imagine a contact center where AI-driven technology not only anticipates customer queries but also ensures a seamless, multilingual dialogue, enhancing both satisfaction and compliance. AI in contact center solutions is no longer a future concept; it’s reshaping the industry landscape today, offering an unprecedented blend of efficiency and customization. As businesses strive to meet escalating consumer expectations, the integration of

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME