Summary: Recently, an attack campaign, codenamed RE#TURGENCE, has come into focus. In this, the threat actors are targeting vulnerable MS SQL Servers with Brute Force technique to gain access to the servers and deploy MIMIC ransomware. In this post, we’ve discussed the RE#TURGENCE campaign in detail and mentioned the ways to protect and safeguard MS SQL Servers from such attacks. It also mentioned a powerful SQL database repair tool that can help recover database from ransomware-affected SQL Servers.
Security researchers have recently spotted an attack campaign, named RE#TURGENCE, targeting unprotected or unsecure Microsoft SQL Servers across the US, European Union, and Latin American region. According to a report by Securonix – a security intelligence solutions provider, the threat actors are financially motivated and using Brute Force techniques to enter the SQL Server network with the aim to deploy MIMIC ransomware or sell the access of the compromised host to other threat actors.
In this post, we will learn more about the RE#TURGENCE campaign and the techniques attackers are using to target the MS SQL Servers. We will also mention the ways to protect and safeguard the MS SQL Servers against such attacks.
How the RE#TURGENCE Campaign Attackers are Exploiting the MS SQL Servers?
The threat actors are using vulnerability scanning tools to identify and target the unprotected MS SQL Servers. The attackers are using the Brute Force method to enter the vulnerable MS SQL database servers and then exploit the xp_cmdshell option. This allows them to execute Windows shell commands from within the MS SQL Server environment.
It has been observed that the attackers were using this ability for executing a PowerShell command to download a semi-obfuscated file for another download containing a heavily obscured Cobalt Strike payload. This is a remote simulation tool to download files containing obfuscated payloads. This allows them to generate remote agents or beacons for automatic code execution on the target SQL Server.
The Cobalt Strike is designed with low network indicators and is hard to detect. This is configured to inject into a Windows-native process called SndVol.exe to control a compromised system remotely. Using this, the attackers execute commands, upload and download files, and spawn processes. This injection increases the persistence of the hacker’s foothold on the targeted system.
After that, the attackers use the Cobalt Strike for deploying the genuine remote desktop software – AnyDesk, primarily for interacting in future with the compromised hosts. They then deploy Mimikatz for extracting credentials, use Advanced Port Scanner, and leverage the Sysinternals utility PsExec for moving laterally to domain controller, allowing them to get access to other systems on the network.
The threat actors then deploy the MIMIC ransomware manually on the MS SQL Server. After encrypting the data, they ask for ransom by deploying a note in text file format.
How to Protect MS SQL Server from RE#TURGENCE Campaign and other Malicious Attacks?
Publically exposed or insecure MS SQL Servers are vulnerable to RE#TURGENCE campaign and other malicious attacks. You need to ensure that your MS SQL Servers and systems are secure and up-to-date. Here are some preventive measures you can take to prevent or minimize such attacks:
- Make sure to update your operating system with the latest updates. You can turn on Automatic Windows updates.
- Always use secure accounts with strong passwords.
- In MS Server, make sure you have selected and configured Authentication mode correctly. You must create a strong password for administrator account.
- Microsoft regularly releases security patches and software updates to fix bugs and security issues. Install the SQL Server updates as and when available.
- Provide training to the IT team and the employees on how to detect malicious emails and other scams to increase security awareness.
- Have a powerful Antivirus software installed that is also application-aware.
- Follow the 3-2-1 backup strategy to create backup of database. This ensures recovery in case of any untoward incident.
- Use VPNs to establish secure connections while using public networks. This provides an extra layer of security and reduces the risk of vulnerability exploitation on the same network.
- The xp_cmdshell procedure in MS SQL Server allows executing the Windows commands using SQL scripts. Limiting the use of this procedure minimizes the risk of running malicious commands and unauthorized access.
- Install the System Monitor (Sysmon) – a Windows service and driver used to monitor and log activity of all Windows events. It collects detailed information, including network connections and process creations. This helps identify any malicious activity or code on the network.
- PowerShell logs capture all the details about the executed commands and scripts. Monitoring these logs can help detect suspicious activity.
How to Recover SQL Databases affected by Ransomware?
If your MS SQL Server gets compromised and the databases are affected by ransomware, then you can try a powerful SQL repair tool, such as Stellar Repair for MS SQL to restore data from the database. It is a robust tool that can help recover data from damaged or corrupted SQL database files. You can just download the free trial version of Stellar Repair for MS SQL and scan the affected database file. The tool has advanced algorithms that thoroughly scan the affected SQL database file (MDF/NDF). Then, it shows the preview of all recoverable data. You can then save the recoverable data to a new database by activating the software. After that, import the recovered database file into your SQL Server. If you encounter any technical challenges during the recovery process, feel free to reach out to Stellar’s support team at support@stellarinfo.com.
Conclusion
Unpatched and insecure MS SQL Servers are a soft target of threat actors. The recent RE#TURGENCE campaign by financially motivated threat actors is aimed at targeting vulnerable SQL Servers. The threat actors, after gaining access to the server through brute force and other techniques, are deploying ransomware into the server. To protect the MS SQL Servers from such attacks, you can follow the ways mentioned above. If your SQL Server gets compromised, then you can take the help of Stellar Repair for MS SQL to try to restore data from ransomware-affected SQL database.