Turkish hackers targeting database servers with Mimic ransomware

Turkish hackers are targeting databases in the United States, European Union and Latin America with the Mimic ransomware, according to new research from cybersecurity company Securonix.

Oleg Kolesnikov, vice president of threat research, told Recorded Future News that what stood out most about the campaign was that the hackers customized their attacks for each victim far more than what they typically see.

“From our latest observations, this appears to be a financially-motivated, ongoing campaign,” Kolesnikov said. “The attackers appear to use a more targeted approach in terms of obtaining initial access compared to some of the other malicious threat actors using exploits, commodity malware payloads etc.”

Securonix, which named the campaign “RE#TURGENCE,” said the hackers either sell the access they obtain or deploy ransomware on the compromised host.

The researchers discovered the campaign after the attackers made a mistake revealing significant parts of their communications, negotiations and more.

The hackers are specifically going after Microsoft SQL (MSSQL) — a popular software product that helps users store and retrieve data requested by applications. Microsoft’s version is one of several database managers that uses SQL, short for structured query language.

Once they gain access, they try to map out the victim’s system and damage cyber defenses to establish their persistence. They typically spend about one month in a victim system before deploying the Mimic ransomware.

The researchers noted that the initial access tactics used in the campaign resemble another campaign they discovered last year that also involved the Mimic ransomware. Like that campaign, the hackers gain access to exposed Microsoft SQL databases through brute forcing — a hacking method that uses trial and error to crack passwords.

Mimic was spotlighted earlier this year by researchers at TrendMicro after first being seen in the wild in June 2022.

It targets Russian- and English-speaking users, and TrendMicro said there are indicators tying it to the Conti ransomware builder that was leaked last year.

In one instance, the hackers moved laterally to two other machines after gaining initial access. They eventually downloaded the ransomware payload, which is able to query and locate specific files that the hackers want encrypted.

Securonix warned that companies should “always refrain from exposing critical servers directly to the internet.”

“With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network,” they said. “We recommend providing access to these resources behind a much more secure infrastructure such as a VPN.”