Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware

A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL (MSSQL) database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware payloads.

The modus operandi of RE#TURGENCE also culminates in another potential outcome: the illicit sale of access to the compromised servers, according to a Securonix report, out today, detailing the threat. Researchers there noted that the malicious actors, based in Turkey, thus appear to be financially motivated.

Beyond that, the nature of the attackers is unknown; Securonix's dedicated Threat Research team was able to glean critical insights into the current spate of attacks only after a significant operational security (OPSEC) lapse by the group.

That breach revealed extensive communications, negotiation tactics, compromised passwords, and a treasure trove of invaluable intelligence, researchers said.

Anatomy of Mimic Ransomware Attacks on MSSQL Servers

Microsoft's proprietary relational database is a popular target among cyberattackers given its mission-critical nature, and wide deployment across a number of sectors, including enterprises, critical infrastructure, and government.

Securonix was able to determine that in the latest offensive against the attack surface, the RE#TURGENCE campaign, the assailants zero in on MSSQL servers by exploiting known critical vulnerabilities in the platform; they then utilize the enabled xp_cmdshell function inherent in these servers, which enables administrative capabilities.

By exploiting this foothold, threat actors are able to execute malicious code on the targeted host, further facilitating their unrestricted access; the attackers can then immediately pivot to system enumeration, employing shell commands to dismantle existing defenses, according to Securonix.

The threat actors then deploy a suite of tools to entrench their presence on the compromised server, ensuring persistence and control, and then move within the network, leveraging Mimikatz and Advanced Port Scanner data.

For its part, the Mimic ransomware exploits the legitimate "Everything" app by VoidTools to locate and encrypt target files. The Mimic variant used in the attacks, which emerged a year ago, employs "red25.exe" as its dropper, enabling the execution of essential files for ransomware completion.

"In the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts," the Securonix report noted.

Avoiding MSSQL Database Compromise

MSSQL databases are often misconfigured, which also contributes to their popularity amongst cybercriminals. And indeed, a July 2023 report from Palo Alto's Unit 42 revealed a staggering 174% increase in malicious attacks targeting vulnerable SQL servers compared to the previous year.

To protect themselves, organizations should first make sure basic configurations are secure and, if possible, the databases should not be enabled on publicly exposed servers.

Beyond that, "limiting usage or disabling the xp_cmdshell procedure is recommended because the attackers relied heavily on it for remote code execution," says Oleg Kolesnikov, vice president of threat research and cybersecurity for Securonix. "Where this is a well-known attack technique, it is important to follow the best practices for attack surface reduction related to its use."

The firm's report also recommended enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting.

"Aside from limiting exposure, it is important for organizations to monitor their database servers and ensure that enhanced telemetry is available, as part of SIEM/SOAR, for example, to be able to detect and prevent such attacks on a timely basis," Kolesnikov said.

Different TTPs From DB#JAMMER Cyberattacks

The researchers have previously warned of "DB#JAMMER" attacks targeting vulnerable MSSQL database servers with external connections and weak account credentials that dropped another version of the Mimic ransomware, known as FreeWorld.

Kolesnikov explained the RE#TURGENCE threat campaign differs from that and other previous MSSQL database server-targeting attacks, however.

"Specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling," he said. "RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity."