Over 50,000 MS-SQL, PHPMyAdmin servers infected in Nansh0u campaign

The attack is believed to have Chinese roots.

New North Korea-linked malware strain puts FBI and DHS under alert Electricfish malware is used to forge covert pathways out of infected Windows PCs.

A fresh wave of attacks against MS-SQL and PHPMyAdmin servers has been detected across the globe, launched in the quest for cryptocurrency.

Over 50,000 servers belonging to organizations in healthcare, telecommunications, media, and IT have been infected, Guardicore Labs said on Wednesday.

Ophir Harpaz and Daniel Goldberg, researchers from Guardicore, said in a blog post that the so-called Nansh0u campaign is a sophisticated take on more primitive cryptocurrency mining attacks.

During the past two months, Guardicore has documented the compromise of Windows MS-SQL and PHPMyAdmin servers, originating on February 26, 2019. Over seven hundred victims per day were documented in some cases.

"The Nansh0u campaign is not a typical crypto-miner attack," the researchers say. "It uses techniques often seen in advanced persistent threats (APTs) such as fake certificates and privilege escalation exploits."

Five attack servers and six connect-back servers provided the infrastructure required for Nansh0u. When a victim server was identified via a port scanner, the threat actors would first attempt to access the system through MS-SQL brute-force attack tools made possible when weak account credentials were in play.

In many cases, this technique proved to be successful, giving the attackers access to an account with administrative privileges. These credentials were also saved for future use.

After obtaining the IP addresses, ports, usernames and passwords of vulnerable servers, the hackers would then tamper with server settings and a Visual-Basic script file would be created on the victim system to download malicious files from the attackers' servers.

The researchers recorded 20 separate malicious payloads used during Nansh0u, with new variants created weekly.

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

The payloads made use of CVE-2014-4113, a vulnerability first reported in 2014 which impacts win32k.sys in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1.

If exploited, the vulnerability permits privilege escalation via a crafted application.

Once a server was successfully compromised, the payloads dropped a cryptocurrency miner and installed a sophisticated kernel-mode rootkit to maintain persistence and prevent the mining malware from being terminated.

The cryptocurrency miners dropped by the malware mine for TurtleCoin on behalf of four different mining pools or make use of XMRig, an open-source Monero mining script.

CNET: Huawei ban: Full timeline on how and why its phones are under fire

Many of the payloads also dropped a kernel-mode driver signed by Verisign used to prevent processes -- such as the miner -- from being stopped. During the time the campaign was active, the Verisign sign-off ensured that the driver was deemed legitimate and would pass security checks. In addition, the driver was protected with VMProtect in order to make reverse engineering the software difficult.

The certificate contained the name for a fake Chinese company, Hangzhou Hootian Network Technology.

TechRepublic: How to improve cloud provider security: 4 tips

Nansh0u is believed to have originated from China, given the attacker's certificate and the use of EPL, a programming language developed in Chinese. In addition, some of the file servers used during the campaign are based in Chinese, and many of the log files and binaries contained Chinese strings.

"The decision to write a major part of the infrastructure in a relatively esoteric language is unusual," the researchers added. "It appears that tools, which until recently belonged to nation state-level hackers, are today the property of even common criminals."

Guardicore reached out to the hosting provider of the servers used to facilitate the attack, alongside Verisign. The servers have now been taken down and the certificate revoked, but this does not mean the campaign will not return with a fresh set of servers and a working security certificate in the future.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0