Many regions around the world have already been affected, and their number is only growing over time.
Recently, attacks on poorly protected MS-SQL servers have been observed in the United States, the European Union, and the Latin American region. Security researchers from Securonix believe that this campaign is aimed at obtaining initial access and is motivated by financial gain.
Experts note that any successful attack within the framework of the campaign they considered always ended either with the sale of access to the compromised host, or with the delivery of a ransomware program. The campaign itself is linked to the activities of Turkish hackers and received the code name RE#TURGENCE from Securonix researchers.
Access to MS-SQL servers is accomplished by password cracking, followed by using the xp_cmdshell configuration option to execute shell commands on the compromised host. This is reminiscent of a previous campaign called DB#JAMMER, which was discovered in September 2023.
Then a PowerShell script is extracted from the remote server, which is responsible for downloading the disguised Cobalt Strike payload.
After that, a set of tools is used to download the AnyDesk remote desktop application from a network resource to access the machine and download additional tools, such as Mimikatz for collecting credentials and Advanced Port Scanner for conducting intelligence.
Lateral movement is carried out by hackers using a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.
As a result, the entire chain of attacks leads to the deployment of the Mimic ransomware software, a variation of which was also used in the previous DB#JAMMER campaign.
Securonix experts emphasize that the indicators and malicious methods used in both campaigns are very different from each other, which indicates a high probability of their independence from each other.
This is especially true for the initial penetration methods: the DB#JAMMER campaign was somewhat more sophisticated and used tunneling, while RE#TURGENCE was more targeted and inclined to use legitimate tools and remote monitoring and management, such as AnyDesk, to blend in with the usual activity.
Securonix also detected an operational security flaw caused by malicious actors. This error allowed experts to track the activity of the hackers clipboard and establish their Turkish origin.
The researchers caution: "Always avoid connecting critical servers directly to the Internet. In the case of the RE#TURGENCE attackers, they could have hacked the server directly from the outside of the main network."
Recently, attacks on poorly protected MS-SQL servers have been observed in the United States, the European Union, and the Latin American region. Security researchers from Securonix believe that this campaign is aimed at obtaining initial access and is motivated by financial gain.
Experts note that any successful attack within the framework of the campaign they considered always ended either with the sale of access to the compromised host, or with the delivery of a ransomware program. The campaign itself is linked to the activities of Turkish hackers and received the code name RE#TURGENCE from Securonix researchers.
Access to MS-SQL servers is accomplished by password cracking, followed by using the xp_cmdshell configuration option to execute shell commands on the compromised host. This is reminiscent of a previous campaign called DB#JAMMER, which was discovered in September 2023.
Then a PowerShell script is extracted from the remote server, which is responsible for downloading the disguised Cobalt Strike payload.
After that, a set of tools is used to download the AnyDesk remote desktop application from a network resource to access the machine and download additional tools, such as Mimikatz for collecting credentials and Advanced Port Scanner for conducting intelligence.
Lateral movement is carried out by hackers using a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.
As a result, the entire chain of attacks leads to the deployment of the Mimic ransomware software, a variation of which was also used in the previous DB#JAMMER campaign.
Securonix experts emphasize that the indicators and malicious methods used in both campaigns are very different from each other, which indicates a high probability of their independence from each other.
This is especially true for the initial penetration methods: the DB#JAMMER campaign was somewhat more sophisticated and used tunneling, while RE#TURGENCE was more targeted and inclined to use legitimate tools and remote monitoring and management, such as AnyDesk, to blend in with the usual activity.
Securonix also detected an operational security flaw caused by malicious actors. This error allowed experts to track the activity of the hackers clipboard and establish their Turkish origin.
The researchers caution: "Always avoid connecting critical servers directly to the Internet. In the case of the RE#TURGENCE attackers, they could have hacked the server directly from the outside of the main network."
