Poorly secured Microsoft SQL servers in the US, EU, and LATAM are being attacked by financially motivated Turkish threat actors in an ongoing campaign to deliver MIMIC ransomware payloads, according to a Securonix research.
The financial cyberthreat campaign named RE#TURGENCE gains initial access into victim systems by targeting and exploiting insecurely configured MSSQL database servers, an infection technique observed earlier this year with the DB#JAMMER campaign that subsequently delivered Cobalt Strike and FreeWorld ransomware.
“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix said in a blog post. “The timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain.”
