A new China-based campaign dubbed Nansh0u targets Windows MS-SQL and PHPMyAdmin servers worldwide. The attack campaign primarily targets servers belonging to the healthcare, telecommunications, media, and IT sectors.
Guardicore Labs detected the campaign at the beginning of April, but the attacks found dating back to February 26. Throughout the campaign threat actors used 20 different payloads, and they keep on creating at least one payload a week and used them immediately.
“Hackers used a combined set of five attack servers, and six connect-back servers suggests an established process of continuous development which was well thought of by the attackers.”
More than 50,000 servers breached in this campaign, once the targeted servers compromised they were infected with a malicious payload, which in turn drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.
Nansh0u campaign is not just a crypto-miner attack; hackers behind the campaign used advanced techniques followed by APTS groups such as fake certificates and privilege escalation exploits.
The attack starts with a serious of login attempts targeting MS-SQL servers to gain administrator privileges. Attackers infrastructure combines the following modules to launch an attack on MS-SQL servers.
Port scanner – Used to detect MS-SQL servers running by IP and to determine MS-SQL ports status.
MS-SQL brute-force tool – Brute-force tool attempts to log in the MS-SQL server using thousands of common credentials.
Remote Code Executor – If the attacker had success with Port scan & brute-force, then the next step is to breach the server.
A privilege escalation vulnerability CVE-2014-4113 was exploited to run the programs with SYSTEM privileges.
By analyzing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.
1. Execute the crypto-currency miner;
2. Create persistency by writing registry run-keys;
3. Protect the miner process from termination using a kernel- mode rootkit;
4. Ensure the miner’s continuous execution using a watchdog mechanism.
According to Guadicore most of the payloads drop a kernel-mode driver signed with a certificate issued by Certificate Authority Verisign.
“This campaign was engineered from the phase of IPs scan until the infection of victim machines and mining the crypto-coin. However, various typos and mistakes imply that this was not a thoroughly-tested operation,” reads Guardicore report.
Researchers confidently access that Chinese attackers have operated this campaign.
IP ADDRESS | LINK TO CTI PAGE |
102.165.51.80 | Full Threat Intel Page |
102.165.51.106 | Full Threat Intel Page |
111.67.206.87 | Full Threat Intel Page |
112.85.42.158 | Full Threat Intel Page |
114.115.164.211 | Full Threat Intel Page |
119.131.209.186 | Full Threat Intel Page |
107.173.21.146 | Full Threat Intel Page |
107.173.21.239 | Full Threat Intel Page |
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…