More than 50,000 servers belonging to organizations in healthcare, telecommunications, media, and IT across the globe have been infected with cryptomining malware in the recent campaign dubbed Nansh0u by the cybersecurity researchers from Guardicore Labs.
Behind the malicious campaign is reportedly an APT-style Chinese hacking group, which uses advanced techniques such as fake certificates and privilege escalation exploits to install malicious payloads on compromised servers.
The attacks date back to February 26 but were first detected at the beginning of April. Throughout the campaign threat actors used 20 different payload versions hosted on various hosting providers.
Each attack started with a series of authentication attempts to a MS-SQL server, eventually leading to a successful login with administrative privileges. Once breached, the targeted servers were infected with malicious payloads, which, in turn, downloaded a crypto-miner to mine TurtleCoin cryptocurrency and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.
To gain SYSTEM privileges on the compromised systems the attackers used two exploits (apexp.exe and apexp2012.exe) for a known privilege escalation vulnerability SB2014101401 (CVE-2014-4113). The former (which is also known as Apolmy) affects both Desktop and Server versions of Windows (XP to 8.1 and 2003 to 2012 R2, respectively), while the second one is designed to work on Windows 8.1 and resembles more of a proof-of-concept than an operational exploit.
“While both versions use the same vulnerability, they execute kernel-mode code for different purposes. The Apolmy version copies the SYSTEM process access token to its own process. With that token, the exploiting process runs the payload with full control over the victim machine,” explained the researchers.
The experts analysed the 20 payload samples from the group’s servers and found that each payload is a wrapper and has several functionalities:
1. Execute the crypto-currency miner;
2. Create persistency by writing registry run-keys;
3. Protect the miner process from termination using a kernel- mode rootkit;
4. Ensure the miner’s continuous execution using a watchdog mechanism.
Since this campaign relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers admins are strongly advised to always use more complex password for their servers.
“This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions,” concluded the researchers.