30 May 2019

Hackers infected over 50K Windows MS-SQL and PHPMyAdmin servers worldwide with cryptomining malware

Hackers infected over 50K Windows MS-SQL and PHPMyAdmin servers worldwide with cryptomining malware

More than 50,000 servers belonging to organizations in healthcare, telecommunications, media, and IT across the globe have been infected with cryptomining malware in the recent campaign dubbed Nansh0u by the cybersecurity researchers from Guardicore Labs.

Behind the malicious campaign is reportedly an APT-style Chinese hacking group, which uses advanced techniques such as fake certificates and privilege escalation exploits to install malicious payloads on compromised servers.

The attacks date back to February 26 but were first detected at the beginning of April. Throughout the campaign threat actors used 20 different payload versions hosted on various hosting providers.

Each attack started with a series of authentication attempts to a MS-SQL server, eventually leading to a successful login with administrative privileges. Once breached, the targeted servers were infected with malicious payloads, which, in turn, downloaded a crypto-miner to mine TurtleCoin cryptocurrency and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

To gain SYSTEM privileges on the compromised systems the attackers used two exploits (apexp.exe and apexp2012.exe) for a known privilege escalation vulnerability SB2014101401 (CVE-2014-4113). The former (which is also known as Apolmy) affects both Desktop and Server versions of Windows (XP to 8.1 and 2003 to 2012 R2, respectively), while the second one is designed to work on Windows 8.1 and resembles more of a proof-of-concept than an operational exploit.

“While both versions use the same vulnerability, they execute kernel-mode code for different purposes. The Apolmy version copies the SYSTEM process access token to its own process. With that token, the exploiting process runs the payload with full control over the victim machine,” explained the researchers.

The experts analysed the 20 payload samples from the group’s servers and found that each payload is a wrapper and has several functionalities:

1. Execute the crypto-currency miner;

2. Create persistency by writing registry run-keys;

3. Protect the miner process from termination using a kernel- mode rootkit;

4. Ensure the miner’s continuous execution using a watchdog mechanism.

Since this campaign relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers admins are strongly advised to always use more complex password for their servers.

“This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions,” concluded the researchers.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019