Weekly Comments

28 May - 4 June 2019

A Chinese threat group has compromised an estimated 50,000 servers running MS-SQL and phpMyAdmin

A Chinese threat group has compromised an estimated 50,000 servers running MS-SQL and phpMyAdmin to install a miner for an open source cryptocurrency called TurtleCoin. The cryptojacking campaign dubbed Nansh0u has been active since February and infected poorly secured systems in 90 countries, with the majority located in China, the US and India. The threat group scans for open MS-SQL ports to launch brute force attacks with a list of commonly-used credentials. If login is successful, the hacker will use MS-SQL commands to execute a known privilege escalation exploit (CVE-2014-4113), which allows the download of the cryptominer payload. To avoid detection, the payload is heavily obfuscated and uses fake digital certificate issued by legitimate Certification Authorities such as Verisign. More than 20 different payload samples are collected throughout the campaign, suggesting that the threat group is adopting an active development cycle to introduce at least one new variant weekly. For phpMyAdmin, no attack module is detected but the large number of compromised servers running phpMyAdmin strongly indicate that the threat group is adept at breaching such systems. Organisations running servers using MS-SQL and phpMyAdmin are strongly encouraged to implement strong passwords to secure the systems, especially at external facing servers. 


The Nansh0u Campaign – Hackers Arsenal Grows Stronger


More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence