Hackers Target Exposed MS SQL Servers with Mimic Ransomware in Recent Campaign

Security researchers have identified a recent campaign in which hackers are actively targeting exposed MS SQL servers using the Mimic ransomware. Mimic ransomware, initially discovered in June 2022 and analyzed by Trend Micro researchers in January 2023, exhibits sophisticated capabilities, leveraging the APIs of a Windows filename search engine called Everything for file searches. The ransomware can perform actions such as deleting shadow copies, terminating processes and services, unmounting virtual drives, and activating anti-shutdown and anti-kill measures. Encrypted files carry the .QUIETPLACE file extension.

Trend Micro researchers observed that Mimic shares certain code similarities with the Conti ransomware builder leaked in March 2022, suggesting a potential connection. The ransomware specifically targets Russian and English-speaking users.

In the recent campaign, hackers gained access to compromised MS SQL servers through brute force attacks. Once an admin account was compromised, they utilized the xp_cmdshell procedure for command execution, system enumeration, and deploying a heavily obfuscated Cobalt Strike payload. The AnyDesk remote access tool was also employed in the attack. Persistence was achieved by creating a local user and adding it to the “administrators” group.

The attackers followed a systematic approach, involving system discovery, lateral movement, and, ultimately, deploying the Mimic ransomware using AnyDesk. The entire timeline of events spanned approximately one month from the initial access to the deployment of Mimic ransomware on the victim domain, as noted by Securonix researchers.

This financially motivated hacking group primarily targets countries in the US, EU, and LATAM regions. The campaign’s conclusion typically involves either selling access to the compromised host or delivering ransomware payloads, according to the researchers.

This campaign bears resemblance to a previous one identified by Securonix researchers in the previous year, highlighting a recurring pattern of MS SQL server targeting and Mimic ransomware delivery. Additionally, a campaign documented in early 2020 saw attackers utilizing poorly secured MS SQL servers to install cryptocurrency miners, indicating a historical trend of exploiting SQL server vulnerabilities for various malicious purposes.

Catch the latest in supply chain news on The Supply Chain Report. Visit ADAMftd.com for free international trade tools.

#MimicRansomware #CyberSecurity #TrendMicro #SQLServerExploitation #RansomwareAttacks #CobaltStrike #RemoteAccessTools #HackingCampaign #MalwareAnalysis #DataSecurity #ITSecurity #BruteForceAttack #CyberThreats #Securonix #MaliciousSoftware #InformationSecurity