A Chinese threat group has compromised an estimated 50,000 servers running MS-SQL and phpMyAdmin to install a miner for an open source cryptocurrency called TurtleCoin. The cryptojacking campaign dubbed Nansh0u has been active since February and infected poorly secured systems in 90 countries, with the majority located in China, the US and India. The threat group scans for open MS-SQL ports to launch brute force attacks with a list of commonly-used credentials. If login is successful, the hacker will use MS-SQL commands to execute a known privilege escalation exploit (CVE-2014-4113), which allows the download of the cryptominer payload. To avoid detection, the payload is heavily obfuscated and uses fake digital certificate issued by legitimate Certification Authorities such as Verisign. More than 20 different payload samples are collected throughout the campaign, suggesting that the threat group is adopting an active development cycle to introduce at least one new variant weekly. For phpMyAdmin, no attack module is detected but the large number of compromised servers running phpMyAdmin strongly indicate that the threat group is adept at breaching such systems. Organisations running servers using MS-SQL and phpMyAdmin are strongly encouraged to implement strong passwords to secure the systems, especially at external facing servers.
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services