More than 50 thousand Windows servers MS-SQL and PHPMyAdmin were infected with malware for mining cryptocurrency.
Guardicore Labs has published a detailed report on a large-scale malicious campaign for the extraction of cryptocurrency, in which the Chinese APT group implements cryptominers and rootkits into Windows MS-SQL and PHPMyAdmin servers worldwide. According to researchers, attackers have already managed to compromise more than 50 thousand servers owned by organizations in the field of health, telecommunications and IT-spheres.
The malicious campaign, called Nansh0u, was conducted from the end of February this year, but experts noticed it only in early April. The attackers found the MS-SQL and PHPMyAdmin Windows servers available on the Internet, hacked them with brute-force, and then infected them with malware. Experts have found 20 different versions of malicious modules.
After successful authorization with administrator rights, the attackers executed a series of MS-SQL commands on the compromised system and downloaded a malicious payload from the remote server that was launched with SYSTEM privileges (the known vulnerability CVE-2014-4113 in the win32k.sys driver was used). Then, the malicious module loaded the TurtleCoin cryptocurrency mining program, and to prevent the process from terminating, an expired digital certificate issued by the Verisign certification center was used. The certificate indicated the name of the bogus Chinese company Hangzhou Hootian Network Technology.
Mainly under threat are servers with unreliable credentials, in this regard, all administrators are advised to install more complex combinations of logins and passwords. The experts also provided a free script that allows you to check the system for the presence of malware.
Link to the script: github.com/guardicore/labs_campaigns/blob/master/Nansh0u/detect_nansh0u.ps1
Guardicore Labs has published a detailed report on a large-scale malicious campaign for the extraction of cryptocurrency, in which the Chinese APT group implements cryptominers and rootkits into Windows MS-SQL and PHPMyAdmin servers worldwide. According to researchers, attackers have already managed to compromise more than 50 thousand servers owned by organizations in the field of health, telecommunications and IT-spheres.
The malicious campaign, called Nansh0u, was conducted from the end of February this year, but experts noticed it only in early April. The attackers found the MS-SQL and PHPMyAdmin Windows servers available on the Internet, hacked them with brute-force, and then infected them with malware. Experts have found 20 different versions of malicious modules.
After successful authorization with administrator rights, the attackers executed a series of MS-SQL commands on the compromised system and downloaded a malicious payload from the remote server that was launched with SYSTEM privileges (the known vulnerability CVE-2014-4113 in the win32k.sys driver was used). Then, the malicious module loaded the TurtleCoin cryptocurrency mining program, and to prevent the process from terminating, an expired digital certificate issued by the Verisign certification center was used. The certificate indicated the name of the bogus Chinese company Hangzhou Hootian Network Technology.
Mainly under threat are servers with unreliable credentials, in this regard, all administrators are advised to install more complex combinations of logins and passwords. The experts also provided a free script that allows you to check the system for the presence of malware.
Link to the script: github.com/guardicore/labs_campaigns/blob/master/Nansh0u/detect_nansh0u.ps1