For several weeks, threat actors have been targeting insecure Microsoft SQL database servers (MSSQL) of organizations based in the U.S., EU and Latin America, in order to deploy ransomware.
In the ongoing campaign, observed by researchers with Securonix, attackers first brute force administrative passwords on MSSQL servers in order to download a number of payloads, steal credentials, perform lateral movement across the network and eventually download ransomware. Researchers also believe that threat actors have been selling their access to various compromised organizations.
“The ransomware of choice is Mimic ransomware which uses the legitimate application Everything by VoidTools to query and locate target files to be encrypted,” said Den Iuzvyk, Tim Peck and Oleg Kolesnikov with the Securonix threat research team in a Tuesday report. “Mimic was first identified and gained traction back in January 2023. Mimic will drop the Everything binaries used to aid in the encryption process. The Mimic dropper in our case ‘red25.exe’ dropped all of the necessary files in order for the main ransomware payload to complete its objectives.”
After gaining initial access, the threat actors leverage the xp_cmdshell procedure - a feature used for SQL servers to create Windows command shells for execution - to execute commands. They then begin to enumerate the system, deploy heavily obfuscated Cobalt Strike payloads for further code execution, download Mimikatz to dump credentials and install the AnyDesk service, which they leverage to download the ransomware payload. As part of the installation of AnyDesk, threat actors have added a new local user to the administrators group in an attempt to set up persistence.
“Eventually after a few days, the threat actors were able to move laterally into two other machines on the network, likely using data provided by Mimikatz and the Advanced Port Scanner utility,” said researchers. “The threat actors transferred in psexec, a Sysinternals utility commonly used by threat actors and red-teamers. Using the utility, a new session to a domain controller was opened using a Domain Admin password which was obtained earlier.”
Notably, threat actors made a key operational security error; enabling the AnyDesk clipboard sharing feature, which allowed researchers to monitor their clipboard and gave insight into various threat actor communications and negotiations. Researchers said that at this stage, they are not able to comment on the number and vertical industries of victims that have been targeted thus far.
For security teams, there are several security measures that can easily prevent this type of attack. A key takeaway from this campaign is that organizations should always “refrain from exposing critical servers directly to the internet,” said researchers. Publicly exposed MSSQL servers continue to give attackers an easy way into organizations, and researchers in September 2023 observed attackers using similar brute force against MSSQL to deploy ransomware.
In the campaign “attackers were directly able to brute force their way into the server from outside the main network,” said researchers. “We recommend providing access to these resources behind a much more secure infrastructure such as a VPN.”
Additionally, threat actors are leveraging the xp-cmdshell procedure, a powerful feature that is disabled by default, and researchers warn that it should not be enabled, particularly on publicly exposed servers. The enablement of process-level logging for endpoints and servers - like Sysmon or PowerShell logging - can also help organizations detect and hunt for malicious activity, said researchers.