January 9, 2024 at 11:24AM
A new report from cybersecurity firm Securonix warns that financially motivated threat actors based in Turkey have been targeting Microsoft SQL Server databases with ransomware attacks. The campaign, primarily aimed at organizations in the US, Europe, and Latin America, involves various malicious activities including brute-forcing credentials, executing shell commands, and deploying ransomware.
After carefully reviewing the meeting notes, the key takeaways are:
– Financially motivated threat actors from Turkey have been identified targeting Microsoft SQL Server databases leading to deployment of ransomware, as reported by cybersecurity firm Securonix.
– The attacks have been observed targeting organizations in the US, Europe, and Latin America, culminating in either a Mimic ransomware infection or the compromised environment being sold to other threat actors.
– The threat actors utilized various tactics including brute-forcing administrative credentials, credential harvesting, execution of shell commands, use of PowerShell scripts to deploy obfuscated Cobalt Strike payload, and deploying legitimate remote desktop software AnyDesk for future interaction with compromised systems.
– Follow-up activities included deployment of Mimikatz for credential harvesting, use of Advanced Port Scanner for environment discovery, and Sysinternals utility psexec for lateral movement to a domain controller to access other machines on the network.
– The threat actors manually executed the Mimic ransomware on the MSSQL server and other domain-joined hosts after several attempts at lateral movement.
– Clipboard sharing feature of AnyDesk was enabled, allowing the cybersecurity firm to monitor pasted content which was determined to be in Turkish, providing a potential location of at least one attacker in Turkey.
This summary captures the significant details from the meeting notes regarding the threat actor activities and their tactics.