Mimic Ransomware Operators Exploiting Misconfigured MSSQL Servers


January 10, 2024

World map

Suspected Turkish threat actors have been observed targeting improperly configured Microsoft SQL (MSSQL) servers in a massive campaign designed to deliver Mimic ransomware, with attacks detected in the European Union, the United States, and Latin America.  

"The analyzed threat campaign appears to end in one of two ways, either the selling of "access" to the compromised host, or the ultimate delivery of ransomware payloads," Bleeping Computer reports.

“The threat actors compromised MSSQL database servers exposed online in brute force attacks. Then, they used the system-stored xp_cmdshell procedure, which allowed them to spawn a Windows command shell with the same security rights as the SQL Server service account.”

Takeaway: Ransomware operators continue to become more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences.

Nowhere was that more evident than in the massive exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang leveraged to compromise more than 1000 victims in rapid succession over the summer in 2023.

The wave of attacks followed another earlier in the year where Cl0p successfully compromised more than a hundred targets by exploiting a bug in the GoAnywhere file transfer tool.

Mass exploitation of vulnerabilities is further evidence that ransomware gangs are increasingly leveraging automation to identify and target exposed organizations who have not patched against known vulnerabilities, which is why we are seeing so many new victims.  

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

Research from 2023 found that more than three-quarters of all ransomware-related vulnerability exploits observed in 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available.

Most of these vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

For many of these vulnerabilities, exploits have been available for quite some time, and in many cases the exploits have been built into toolkits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences.

The good news is that given these attacks leverage exploits for well-documented vulnerabilities, which means we have a chance to detect and stop these ransomware operations earlier in the attack sequence.

Many of the TTPs they employ are common and should help to reveal a lot of detectable activity on the network that occurs long before the actual ransomware payload is delivered.  

Note the dwell time for the MSSQL exploits in the Mimic campaign was about one month between initial infection and the delivery f the ransomware payload.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used, or when the attackers begin to move laterally on the network and seek to escalate privileges.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.