Turkish hackers are abusing poorly secured MS SQL servers around the world

Turkish Hackers

Poorly secured Microsoft SQL (MS SQL) servers are being attacked in the US, European Union and Latin America (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.

“The analyzed threat campaign appears to end in two ways: either by selling ‘access’ to the compromised host, or by the eventual delivery of ransomware payloads,” said Securonix researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov in a technical note. statement. report shared with The Hacker News.

The campaign, linked to actors of Turkish descent, has been codenamed RE#TURGENCE by the cybersecurity company.

The initial access to the servers involves performing brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a previous campaign called DB#JAMMER that came to light in September 2023.

This phase paves the way for retrieving a PowerShell script from a remote server responsible for retrieving an obfuscated Cobalt Strike beacon payload.

The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from an associated network share to access the machine and download additional tools such as Mimikatz to collect credentials and Advanced Port Scanner to perform reconnaissance.

MS SQL servers

Lateral movement is achieved through a legitimate system administration tool called PsExecwhich one can run programs on remote Windows hosts.

That attack chain ultimately culminates with the deployment of Mimic ransomwarea variant of which was also used in the DB#JAMMER campaign.

Securonix said it had uncovered an operational security (OPSEC) blunder made by the threat actors, which allowed it to monitor clipboard activity due to the fact that the clipboard sharing feature of AnyDesk is enabled.

This made it possible to trace their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.

“Always exercise caution when exposing critical servers directly to the Internet,” the researchers warned. “In the case of RE#TURGENCE, attackers were able to directly brute-force into the server from outside the main network.”


#Turkish #hackers #abusing #poorly #secured #SQL #servers #world

Notify of
Inline Feedbacks
View all comments
Previous Post
PikaBot Loader Malware

Water Curupira hackers are actively spreading PikaBot Loader malware

Next Post
SaaS Attack Surface

Why public links expose your SaaS attack surface

Related Posts