Misconfigured Microsoft SQL database servers in the U.S., Latin America, and the European Union have been targeted by a Turkish hacking operation with Mimic ransomware, also known as N3ww4v3, as part of the RE#TURGENCE attack campaign, reports BleepingComputer.
Brute-force attacks have been deployed to compromise the internet-exposed MSSQL servers, with attackers later leveraging system-stored xp_cmdshell procedure for privilege escalation, as well as a Cobalt Strike payload meant to be injected into the SndVol.exe process, a report from the Securonix Threat Research team revealed. Threat actors also facilitated the theft of clear text credentials and other network devices, as well as hacked domain controllers, via Mimikatz and the Advanced Port Scanner utility, before using AnyDesk to enable Mimic ransomware distribution.
"The analyzed threat campaign appears to end in one of two ways, either the selling of 'access' to the compromised host, or the ultimate delivery of ransomware payloads. The timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain," said researchers.
BleepingComputer reports that Knight ransomware was observed by KELA threat analysts to have the third iteration of its source code posted for sale by the operation's representative, Cyclops, on RAMP forums.