A new China-based campaign dubbed Nansh0u targets Windows MS-SQL and PHPMyAdmin servers worldwide. The attack campaign primarily targets servers belonging to the healthcare, telecommunications, media, and IT sectors.
Guardicore Labs detected the campaign at the beginning of April, but the attacks found dating back to February 26. Throughout the campaign threat actors used 20 different payloads, and they keep on creating at least one payload a week and used them immediately.
“Hackers used a combined set of five attack servers, and six connect-back servers suggests an established process of continuous development which was well thought of by the attackers.”
More than 50,000 servers breached in this campaign, once the targeted servers compromised they were infected with a malicious payload, which in turn drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.
Nansh0u campaign is not just a crypto-miner attack; hackers behind the campaign used advanced techniques followed by APTS groups such as fake certificates and privilege escalation exploits.
The attack starts with a serious of login attempts targeting MS-SQL servers to gain administrator privileges. Attackers infrastructure combines the following modules to launch an attack on MS-SQL servers.
Port scanner – Used to detect MS-SQL servers running by IP and to determine MS-SQL ports status.
MS-SQL brute-force tool – Brute-force tool attempts to log in the MS-SQL server using thousands of common credentials.
Remote Code Executor – If the attacker had success with Port scan & brute-force, then the next step is to breach the server.
A privilege escalation vulnerability CVE-2014-4113 was exploited to run the programs with SYSTEM privileges.
By analyzing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.
1. Execute the crypto-currency miner;
2. Create persistency by writing registry run-keys;
3. Protect the miner process from termination using a kernel- mode rootkit;
4. Ensure the miner’s continuous execution using a watchdog mechanism.
According to Guadicore most of the payloads drop a kernel-mode driver signed with a certificate issued by Certificate Authority Verisign.
“This campaign was engineered from the phase of IPs scan until the infection of victim machines and mining the crypto-coin. However, various typos and mistakes imply that this was not a thoroughly-tested operation,” reads Guardicore report.
Researchers confidently access that Chinese attackers have operated this campaign.
| IP ADDRESS | LINK TO CTI PAGE |
| 102.165.51.80 | Full Threat Intel Page |
| 102.165.51.106 | Full Threat Intel Page |
| 111.67.206.87 | Full Threat Intel Page |
| 112.85.42.158 | Full Threat Intel Page |
| 114.115.164.211 | Full Threat Intel Page |
| 119.131.209.186 | Full Threat Intel Page |
| 107.173.21.146 | Full Threat Intel Page |
| 107.173.21.239 | Full Threat Intel Page |
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…