Türk Hackers Exploiting MS SQL Servers

Türk Hackers Exploiting MS SQL Servers

Microsoft SQL (MS SQL) servers with weak security are being targeted as part of a financially motivated ongoing campaign in the United States, the European Union, and the Latin America (LATAM) regions to gain initial access.

The campaign associated with Turkish actors has been dubbed RE#TURGENCE by a cybersecurity firm.

Gaining initial access to the servers requires the execution of brute force attacks and subsequently using the xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors the behavior of a previous campaign called DB#JAMMER, which emerged in September 2023.

This stage paves the way for obtaining a PowerShell script from a remote server responsible for delivering a hidden Cobalt Strike payload.

Subsequently, the post-exploitation toolset is used to download additional tools such as Mimikatz for credential harvesting and Advanced Port Scanner for reconnaissance, as well as the AnyDesk remote desktop application for downloading additional tools from a mounted network share.

Lateral movement is achieved through a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.

This chain of attacks ultimately culminates in the deployment of the Mimic ransomware, as seen in the DB#JAMMER campaign.

Mert Doğukan is an experienced C-level executive, CISO, specialized in information security and risk management. With strong leadership qualities and strategic vision, he plays a crucial role in protecting and ensuring the security of the company's information assets. He demonstrates top-level performance in developing, implementing, and auditing corporate-level information security strategies. Additionally, he closely monitors technological advancements to continuously update and enhance the company's cybersecurity infrastructure.

Related Posts