As part of an ongoing, financially motivated campaign to gain initial access, less secure Microsoft SQL (MS SQL) servers in the US, EU, and Latin America (LATAM) regions were targeted.
“The analyzed threat campaigns appear to end in one of two ways, either selling ‘access’ to the infected host or ultimately delivering ransomware,” Securonix researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov said in a technical report. Payload.” Report shared with The Hacker News.
The event is linked to an actor of Turkish origin, codenamed revival# By cybersecurity companies.
Initial access to the server requires a brute force attack, followed by using the xp_cmdshell configuration option to execute shell commands on the compromised host. This campaign is similar to a previous campaign called DB#JAMMER that came to light in September 2023.
This stage paves the way for extracting the PowerShell script from the remote server, which is responsible for obtaining the obfuscated Cobalt Strike beacon payload.
The post-use toolkit then downloads the AnyDesk remote desktop application from the installed network share for accessing the computer and downloads other tools such as Mimikatz for collecting credentials and Advanced Port Scanner for performing reconnaissance.
Lateral movement is accomplished through a legitimate system management utility called PsExec, which can execute programs on remote Windows hosts.
The attack chain culminated in the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.
“The indicators and malicious TTPs used in these two campaigns are completely different, so it is very likely that these are two different campaigns,” Kolesnikov told The Hacker News.
“More specifically, while the initial penetration method is similar, DB#JAMMER is slightly more sophisticated and uses tunneling techniques. RE#TURGENCE is more targeted, tending to use legitimate tools as well as remote monitoring and management, such as AnyDesk, Trying to fit in normal activities.”
Securonix said it discovered an operational security (OPSEC) error made by the threat actor that allowed it to monitor scrapbook activity as AnyDesk’s scrapbook sharing feature was enabled.
This makes it possible to collect their Turkish origins and online alias atseverse, which also corresponds to profiles on Steam and a Turkish hacking forum called SpyHack.
“Critical servers should never be exposed directly to the Internet,” the researchers warned. “In the case of RE#TURGENCE, the attacker was able to brute force entry into the server directly from outside the main network.”
