Microsoft SQL (MS SQL) servers with weak security are being targeted as part of a financially motivated ongoing campaign in the United States, the European Union, and the Latin America (LATAM) regions to gain initial access.
The campaign associated with Turkish actors has been dubbed RE#TURGENCE by a cybersecurity firm.
Gaining initial access to the servers requires the execution of brute force attacks and subsequently using the xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors the behavior of a previous campaign called DB#JAMMER, which emerged in September 2023.
This stage paves the way for obtaining a PowerShell script from a remote server responsible for delivering a hidden Cobalt Strike payload.
Subsequently, the post-exploitation toolset is used to download additional tools such as Mimikatz for credential harvesting and Advanced Port Scanner for reconnaissance, as well as the AnyDesk remote desktop application for downloading additional tools from a mounted network share.
Lateral movement is achieved through a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.
This chain of attacks ultimately culminates in the deployment of the Mimic ransomware, as seen in the DB#JAMMER campaign.
