Jan 09, 2024NewsroomData Security / Cyber Attack

Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.

“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News.

The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm.

Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023.

This stage paves the way for the retrieval of a PowerShell script from a remote server that’s responsible for fetching an obfuscated Cobalt Strike beacon payload.

The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from a mounted network share for accessing the machine and downloading additional tools such as Mimikatz to harvest credentials and Advanced Port Scanner to carry out reconnaissance.

Lateral movement is accomplished by means of a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.

That attack chain, ultimately, culminates with the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.

“The indicators as well as malicious TTPs used in the two campaigns are completely different, so there is a very high chance these are two disparate campaigns,” Kolesnikov told The Hacker News.

“More specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.”

Securonix said it uncovered an operational security (OPSEC) blunder made by the threat actors that allowed it to monitor clipboard activity owing to the fact that the clipboard sharing feature of AnyDesk was enabled.

This made it possible to glean their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.

“Always refrain from exposing critical servers directly to the internet,” the researchers cautioned. “With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network.”

Dec 27, 2023NewsroomMalware / Server Security

Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.

“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web,” the AhnLab Security Emergency Response Center (ASEC) said in a report on Tuesday.

In these attacks, adversaries try to guess a server’s SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack.

Should the brute-force attempt be successful, it’s followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet.

Specifically, the scanner is designed to look for systems where port 22 — which is associated with the SSH service — is active and then repeats the process of staging a dictionary attack in order to install malware, effectively propagating the infection.

Another notable aspect of the attack is the execution of commands such as “grep -c ^processor /proc/cpuinfo” to determine the number of CPU cores.

“These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks,” ASEC said, adding there is evidence of such malicious software being used as early as 2021.

To mitigate the risks associated with these attacks, it’s recommended that users rely on passwords that are hard to guess, periodically rotate them, and keep their systems up-to-date.

The findings come as Kaspersky revealed that a novel multi-platform threat called NKAbuse is leveraging a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.