A new surge of attacks against MS-SQL and PHPMyAdmin servers has been detected worldwide launched in the quest for cryptocurrency. Over 50,000 servers belonging to organizations in healthcare, telecommunications, media, and IT have been infected.
The researchers at Guardicore Labs, Ophir Harpaz and Daniel Goldberg, reported in a blog post that the Nansh0u campaign is a sophisticated one compared to the basic cryptocurrency mining attacks.
During the past two months, Guardicore has documented the compromise of Windows MS-SQL and PHPMyAdmin servers, originating on February 26, 2019. More than seven hundred victims per day were documented in some cases.
In the Nansh0u campaign, the attackers used techniques which are normally seen in advanced persistent threats (APTs) such as fake certificates and privilege escalation exploits.
The infrastructure required for Nansh0u includes five attack servers and six connect-back servers. When a victim server was identified via a port scanner, the attackers first try to access the system through MS-SQL brute-force attack tools made possible when weak account credentials were in play.
This technique worked in most of the cases letting the attackers to access the accounts with administrative privileges. These credentials were also saved for future use.
After getting the IP addresses, ports, usernames and passwords of vulnerable servers, the hackers alter the server settings and a Visual-Basic script file would be created on the victim system to download malicious files from the attackers’ servers.
The researchers recorded 20 separate malicious payloads used during Nansh0u, with new variants created weekly.
The payloads made use of the vulnerability CVE-2014-4113, which was first reported in 2014 which impacts win32k.sys in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1.
On exploiting this vulnerability permits privilege escalation via a crafted application.
After compromising a server, the payloads drop a cryptocurrency miner and installs a sophisticated kernel-mode rootkit to maintain persistence and prevent the mining malware from being terminated.
These miners mine for TurtleCoin on behalf of four different mining pools or make use of XMRig, an open-source Monero mining script.
There were several payloads that dropped a kernel-mode driver signed by Verisign used to prevent processes. While the campaign was active, the Verisign sign-off ensured that the driver was considered to be legitimate and would pass security checks. In addition, the driver was protected with VMProtect in order to make reverse engineering the software difficult.
The certificate contained the name for a fake Chinese company, Hangzhou Hootian Network Technology.
Nansh0u is believed to have originated from China, given the attacker’s certificate and the use of EPL, a programming language developed in Chinese. Besides, some of the file servers used during the campaign are based in Chinese, and many of the log files and binaries contained Chinese strings.
Guardicore contacted the hosting provider of the servers that were used to facilitate the attack, alongside Verisign. The servers were then taken down and the certificate revoked. This however does not indicate that the campaign will not return with a fresh set of servers and a working security certificate in the future.