Hackers target MSSQL servers with RE#TURGENCE campaign

SISA Weekly Threat Watch 15 January 2024

Last week’s cybersecurity landscape was marked by a series of concerning developments, highlighting diverse threats and vulnerabilities. These included resurgence of Bandook RAT with a new phishing tactic, advanced phishing by UAC-0050 for Remcos RAT, Turkish hackers targeting MSSQL servers, active distribution of PikaBot loader malware, and CISA flagging six vulnerabilities. These events emphasize the need for strengthened cybersecurity measures, involving timely software updates and thorough vulnerability assessments, to effectively counteract the escalating threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New Bandook RAT variant resurfaces, targeting Windows machines

The recently identified Bandook remote access trojan (RAT) is utilizing a new phishing attack approach to target Windows systems. Discovered in October 2023, this iteration employs a PDF file containing a link to a password protected .7z archive, with the malware injecting its payload into the genuine Windows binary, msinfo32.exe, upon extraction. Originally detected in 2007, Bandook exhibits adaptability, and in this instance, an injector component decrypts and loads the payload into msinfo32.exe, which then serves as the host for various malicious activities.

The malware ensures persistence through Windows Registry modifications and establishes communication with a command-and-control server for additional payloads and instructions. Security measures, including robust email filtering, advanced endpoint protection, network segmentation, and regular patch management, are crucial for mitigating such evolving threats effectively.

2. UAC-0050 group using new phishing tactics to distribute Remcos RAT

The hacking group UAC-0050 is employing advanced tactics in phishing attacks to disseminate the Remcos RAT, known for its capabilities in remote surveillance and control. Active since 2020, the group has targeted Ukrainian and Polish entities, employing social engineering tactics and deceptive strategies to lure recipients into opening malicious attachments. Security researchers discovered a multi-step process initiated by an LNK file, suspected to be delivered through phishing emails targeting Ukrainian military personnel. The LNK file executes an HTML application, triggering a PowerShell script that downloads and executes the Remcos RAT, version 4.9.2 Pro.

The RAT utilizes unnamed pipes for data exchange, enabling the covert transfer of harvested data, thereby avoiding detection by antivirus systems and Endpoint Detection and Response (EDR) tools. This sophisticated approach highlights the group’s evolving tactics in eluding security measures. To counter this, organizations should implement a robust cybersecurity strategy, combining employee training, advanced endpoint protections, network segmentation, regular patching, and a practiced incident response plan.

3. Turkish hackers target MSSQL servers with RE#TURGENCE campaign

Microsoft SQL (MSSQL) servers in the U.S., European Union, and Latin American regions are facing a persistent threat known as RE#TURGENCE, orchestrated by Turkish actors with a focus on financial gains. Security researchers highlighted the campaign’s methodology, involving brute-force attacks on inadequately secured servers, exploitation of the xp_cmdshell configuration, and subsequent deployment of ransomware payloads or selling server access. The attackers employ a post-exploitation toolkit, utilizing legitimate tools like AnyDesk for remote desktop access and PsExec for lateral movement.

Despite similarities to a previous campaign named DB#JAMMER, there were distinctions and an operational security oversight, allowing the identification of Turkish origins. Recommendations include restricting xp_cmdshell access, enhancing telemetry with process-level logging, deploying additional logging solutions, and monitoring new local user creation to bolster security measures against such threats. 

4. PikaBot loader malware being actively spread by Water Curupira hackers

Water Curupira, a threat actor, has been actively distributing the PikaBot loader malware throughout 2023, employing spam campaigns with notable peaks in activity during the first quarter, extending until June, and a resurgence in September. The campaign shares similarities with tactics used by cybercrime groups TA571 and TA577, particularly in the delivery of QakBot, suggesting potential connections or shared infrastructure among these threat actors. PikaBot serves as a loader, initiating unauthorized remote access and enabling the execution of arbitrary commands through its command-and-control (C&C) server connection.

The attack typically starts with ZIP archive attachments containing JavaScript or IMG files, with the malware checking the system’s language before proceeding. Water Curupira’s campaigns aim to deliver Cobalt Strike, leading to the subsequent deployment of Black Basta ransomware. Security researchers note the shift of the threat actor exclusively to PikaBot from earlier DarkGate and IcedID campaigns in the third quarter of 2023, emphasizing vigilance against phishing emails and the importance of verifying sender identity and updating software to mitigate such threats.

5. CISA flags 6 vulnerabilities: Apple, Apache, Adobe, D-Link, Joomla under attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with six additional security vulnerabilities based on evidence of ongoing exploitation. Notable among these is CVE-2023-27524, a high-severity vulnerability affecting Apache Superset, enabling remote code execution.

CISA’s update includes vulnerabilities in Adobe ColdFusion, Apple products, D-Link DSL-2750B devices, and Joomla. Of particular concern is CVE-2023-41990, swiftly addressed by Apple after playing a role in Operation Triangulation spyware attacks. Federal agencies are strongly urged to apply fixes for these vulnerabilities by January 29, 2024, to enhance network security and mitigate potential risks effectively.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider