A financially motivated group of Turkish hackers, identified in the RE#TURGENCE campaign, has been systematically targeting Microsoft SQL (MSSQL) servers worldwide. Their primary objective is to encrypt files using the notorious Mimic (N3ww4v3) ransomware. This ongoing cyber threat, as detected by the Securonix Threat Research team, spans across the European Union, the United States, and Latin America. The hackers, exploiting insecure configurations on MSSQL servers, employ a sophisticated approach involving brute force attacks, the xp_cmdshell procedure, and the deployment of Mimikatz-extracted credentials.
The timeline for the RE#TURGENCE events spans approximately one month from initial access to the deployment of the Mimic ransomware on the victim domain. The attackers compromise MSSQL database servers exposed online through brute force attacks and utilize xp_cmdshell, a system-stored procedure, to spawn a Windows command shell with the same security rights as the SQL Server service account. They further deploy a heavily obfuscated Cobalt Strike payload using PowerShell scripts and in-memory reflection techniques, injecting it into the Windows-native process SndVol.exe. The hackers then download and launch the AnyDesk remote desktop application as a service, collecting clear text credentials with Mimikatz, scanning the local network, and compromising other devices using stolen credentials, eventually targeting the domain controller.
In a distinctive move, the Mimic ransomware payloads are deployed as self-extracting archives via AnyDesk, utilizing the legitimate Everything app to search for files to encrypt. Once the encryption process is complete, a specific process executes an encryption/payment notice, saved on the victim’s C:\ drive as ‘—IMPORTANT—NOTICE—.txt’. This campaign follows a pattern observed in a previous Securonix-exposed attack (DB#JAMMER) targeting MSSQL servers, reinforcing the hackers’ consistent use of brute force initial access attacks and the Mimic ransomware for financial gain.
