Deciphering the MSSQL Ransomware Conundrum(MIMIC): A Comprehensive Examination

Introduction.

In recent weeks, a surge of cyber threats has been detected, specifically targeting Microsoft SQL database servers (MSSQL) within organizations based in the U.S., EU, and Latin America. Cybersecurity experts at Securonix have been closely monitoring this ongoing campaign, revealing a meticulously orchestrated sequence of actions by threat actors seeking to deploy ransomware.

The Methodical Approach of Threat Actors

In the observed campaign, attackers initiate their assault by employing brute force techniques to compromise administrative passwords on MSSQL servers. This initial breach enables them to download a series of payloads, pilfer credentials, execute lateral movements across the network, and ultimately deliver ransomware. Intriguingly, researchers suspect that these threat actors have been capitalizing on their unauthorized access by selling it to various compromised organizations.

The ransomware of choice in this campaign is Mimic ransomware, strategically utilizing the legitimate application Everything by VoidTools for file reconnaissance. As highlighted by Den Iuzvyk, Tim Peck, and Oleg Kolesnikov of the Securonix threat research team, Mimic ransomware gained prominence in January 2023 and employs the seemingly innocuous ‘red25.exe’ dropper to facilitate the encryption process.

Exploiting SQL Server Features

Upon gaining initial access, threat actors leverage the powerful xp_cmdshell procedure inherent in SQL servers. This feature allows them to execute commands, initiating a sequence that involves system enumeration, deployment of obfuscated Cobalt Strike payloads for advanced code execution, downloading Mimikatz for credential extraction, and installing AnyDesk as a conduit for the ransomware payload. Notably, the installation of AnyDesk includes the addition of a new local user to the administrators group, emphasizing the threat actors’ intent to establish persistence within the compromised environment.

Over the course of several days, these threat actors demonstrate an adept ability to move laterally within the network. Leveraging data provided by Mimikatz and the Advanced Port Scanner utility, they successfully transfer in the Sysinternals utility, psexec. This facilitates the creation of a new session on a domain controller using a Domain Admin password obtained earlier in the intrusion.

Operational Oversight and Unintended Exposure

Despite the sophistication displayed by threat actors, a notable operational security error emerges: the enabling of the AnyDesk clipboard-sharing feature. This oversight grants cybersecurity researchers a unique window into threat actor communications and negotiations, providing invaluable insights into their strategies and interactions. However, the researchers acknowledge that, at this stage, specifics regarding the number of victims and the vertical industries targeted remain undisclosed.

Security Measures and Recommendations

For security teams, the ongoing campaign serves as a poignant reminder of the importance of implementing robust security measures. One key takeaway is the imperative for organizations to refrain from exposing critical servers directly to the internet. Publicly exposed MSSQL servers present an easily exploitable entry point for attackers, a vulnerability highlighted by similar brute force attacks observed in September 2023.

The researchers strongly advocate for a more secure infrastructure, suggesting that access to critical resources be provided behind a secure layer, such as a Virtual Private Network (VPN). Additionally, they caution against the indiscriminate enabling of the xp-cmdshell procedure, emphasizing its default disabled status for a reason. To enhance detection capabilities, the enablement of process-level logging for endpoints and servers, utilizing tools like Sysmon or PowerShell logging, is recommended.

Conclusion: Navigating the Cybersecurity Landscape

In conclusion, the ongoing MSSQL ransomware campaign underscores the dynamic and persistent nature of cyber threats. By shedding light on the attackers’ methodologies and recommending proactive security measures, cybersecurity researchers aim to empower organizations to fortify their defences against evolving cyber threats. As the cybersecurity landscape continues to evolve, continuous vigilance, adaptation, and collaboration remain paramount in safeguarding digital assets against sophisticated adversaries.


Article By:

Trevor Kutto Hacks