January 9, 2024 at 01:57PM
Financially motivated Turkish hackers are targeting Microsoft SQL servers worldwide, encrypting victims’ files using Mimic ransomware. Tracked as RE#TURGENCE, the attacks have hit targets in the EU, US, and Latin America. The hackers compromise insecure MSSQL servers using brute force attacks, then deploy ransomware payloads and execute other malicious activities. This includes deploying Mimic ransomware via AnyDesk, collecting clear text credentials, and compromising the domain controller. The threat actors’ methods involve utilizing xp_cmdshell and obfuscated Cobalt Strike payloads, among other techniques. The ransom note links the group to Phobos ransomware attacks. Another campaign targeting MSSQL servers last year, tracked as DB#JAMMER, also used ransomware attacks.
Based on the meeting notes, the key points are:
– Turkish hackers are targeting Microsoft SQL (MSSQL) servers worldwide using Mimic (N3ww4v3) ransomware, with ongoing attacks tracked as RE#TURGENCE.
– The attacks are aimed at targets in the European Union, the United States, and Latin America.
– The threat campaign ends with the selling of “access” to compromised hosts or the delivery of ransomware payloads.
– MSSQL servers with insecure configurations are being compromised in brute force attacks, using the system-stored xp_cmdshell procedure to elevate privileges.
– The attackers deploy a heavily obfuscated Cobalt Strike payload, launched the AnyDesk remote desktop application, collected clear text credentials using Mimikatz, and compromised the domain controller.
– The Mimic ransomware payloads are deployed as self-extracting archives via AnyDesk, searching for files to encrypt using the legitimate Everything app.
– The ransom note email ([email protected]) links the threat group to Phobos ransomware attacks.
Please let me know if you need any further clarifications or specific details from the meeting notes.