A new report carried out by Guardicore Labs has outlined the details of a prevailing cryptojacking (cryptomining) operation targeting Windows MS-SQL and PHPMyAdmin servers on a global scale.
Nansh0u Malware Campaign: Some Details
The malicious campaign is dubbed Nansh0u and is controlled by a Chinese hacking group. The group infected at least 50,000 servers with a sophisticated kernel-mode rootkit which prevents the malware from being terminated.
According to the report, the infected servers belong to companies in the healthcare, telecommunications, media and IT sectors.
The researchers observed the release and deployment of 20 different payload versions during the campaign. They also got in touch with the hosting provider of the attack servers as well as the issuer of the rootkit certificate. As a result, the attack servers were taken down and the certificate was revoked, the report said.
Note that the Nansh0u campaign is not a typical cryptojacking attack. It uses techniques observed in advanced persistent threats, like fake certificates and privilege escalation exploits. The campaign simply shows that sophisticated malicious tools can also be utilized by not-so-sophisticated and skillful attackers.
How is the Nansh0u attack initiated?
The attackers first locate publicly accessible Windows MS-SQL and PHPMyAdmin servers via a port scanner. Then, they use brute-forcing and obtain admin privileges to execute a sequence of MS-SQL commands on the compromised system. Once this is done, the malicious payload is downloaded from a remote file server and is run with SYSTEM privileges.
A specific vulnerability is also included in the attack scenario – CVE-2014-4113. The latter is a well-known privilege escalation bug deployed to gain SYSTEM privileges on compromised hosts.
Here’s the official description of the vulnerability:
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka “Win32k.sys Elevation of Privilege Vulnerability.”
The vulnerability helps exploit the Winlogon process by injecting code into it. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version, the researchers explained. After this is all done, the payload installs a crypto-mining malware to mine a cryptocurrency known as TurtleCoin.
Similar to many other attacks, the Nansh0u operation is relying on a combination of weak usernames and passwords for MS-SQL and PHPMyAdmin servers. To avoid malicious exploits, administrators should always use strong, complex passwords for their accounts.