The Securonix Threat Research team discovered a malicious campaign, codenamed RE#TURGENCE, which involves targeting and exploitation of Microsoft SQL (MSSQL) database servers. The threat actors behind RE#TURGENCE, which is believed to be financially motivated, have been actively focusing on the US, EU, and LATAM countries.
The modus operandi of the campaign suggests a two-fold conclusion, with the threat actors either selling unauthorized access to compromised hosts or culminating in the deployment of ransomware payloads.
The attackers gained access to the targeted servers via brute-force attacks, leveraging the xp_cmdshell procedure to execute commands on the host. This procedure is typically disabled by default and should not be enabled, the researchers noted.
Once the attackers were able to execute code, they ran several commands to execute two PowerShell scripts, one of which contained a heavily obfuscated Cobalt Strike payload. Besides Cobalt Strike, the threat actor also leveraged the AnyDesk remote desktop application to add a user to the administrator group and download the Mimikatz credential harvesting tool.
The threat actors proceeded with several attempts at lateral movement, resulting in the deployment of the Mimic ransomware in the form of a self-extracting archive. The ransomware initiated an encryption process, rendering the victim's data inaccessible. Subsequently, a ransom note in the form of a text file was deployed, demanding payment for the decryption key.
Due to an OPSEC (operational security) lapse (threat actors failed to disable the clipboard sharing feature of AnyDesk), Securonix researchers were able to monitor threar actor’s clipboard activity. Further investigation into the handle “atseverse” mentioned there pointed to at least one of the attackers being located in Turkey.
