Nansh0u Campaign Infects 50,000 Servers with Kernel-Mode Rootkit
NEWS

Nansh0u Campaign Infects 50,000 Servers with Kernel-Mode Rootkit

A new report carried out by Guardicore Labs has outlined the details of a prevailing cryptojacking (cryptomining) operation targeting Windows MS-SQL and PHPMyAdmin servers on a global scale.




Related:
According to the latest report, the Scranos spyware contains various components that can serve different purposes and can be deployed in various scenarios.
New Scranos Rookit Can Damage Your System in Multiple Ways.

Nansh0u Malware Campaign: Some Details

The malicious campaign is dubbed Nansh0u and is controlled by a Chinese hacking group. The group infected at least 50,000 servers with a sophisticated kernel-mode rootkit which prevents the malware from being terminated.

According to the report, the infected servers belong to companies in the healthcare, telecommunications, media and IT sectors.

The researchers observed the release and deployment of 20 different payload versions during the campaign. They also got in touch with the hosting provider of the attack servers as well as the issuer of the rootkit certificate. As a result, the attack servers were taken down and the certificate was revoked, the report said.

Note that the Nansh0u campaign is not a typical cryptojacking attack. It uses techniques observed in advanced persistent threats, like fake certificates and privilege escalation exploits. The campaign simply shows that sophisticated malicious tools can also be utilized by not-so-sophisticated and skillful attackers.

Related:
As netizens [citizens of the web ? ], you probably know about computer viruses and hacking incidents. The new technology and market development have contributed to new forms of cyber-attacks and cryptojacking is one of them. These are often more...Read more
Seven Ways to Protect Yourself against Cryptojacking.

How is the Nansh0u attack initiated?

The attackers first locate publicly accessible Windows MS-SQL and PHPMyAdmin servers via a port scanner. Then, they use brute-forcing and obtain admin privileges to execute a sequence of MS-SQL commands on the compromised system. Once this is done, the malicious payload is downloaded from a remote file server and is run with SYSTEM privileges.

A specific vulnerability is also included in the attack scenario – CVE-2014-4113. The latter is a well-known privilege escalation bug deployed to gain SYSTEM privileges on compromised hosts.

Here’s the official description of the vulnerability:

win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka “Win32k.sys Elevation of Privilege Vulnerability.”

The vulnerability helps exploit the Winlogon process by injecting code into it. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version, the researchers explained. After this is all done, the payload installs a crypto-mining malware to mine a cryptocurrency known as TurtleCoin.

Similar to many other attacks, the Nansh0u operation is relying on a combination of weak usernames and passwords for MS-SQL and PHPMyAdmin servers. To avoid malicious exploits, administrators should always use strong, complex passwords for their accounts.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...