According to a new report, hackers have breached 50000 servers with crypto mining malware all over the world. Guardicore, a cybersecurity firm said on May 29, that the large scale malware attack dubbed the ‘Nansh0u campaign’ has been going on since February with over seven hundred new victims every day. The attack was mostly targeted on the companies belonging to healthcare, telecommunications, media and IT sectors, and it mostly aimed to infect Windows MS-SQL and phpMyAdmin servers worldwide. What’s really worrying about this attack was the use of techniques often used in APTs [Advanced Persistent Threats] such as fake certificates and privilege escalation exploits, which are considered elite weapons when it comes to security breaches.
According to Guardicore, there were 20 different malicious payloads in cryptocurrency mining, with new ones created at least once a week and used immediately after their creation. The troublesome thing about this malware was that it came with a sophisticated Kernel-mode rootkit which prevented its removal or termination. The main victims of the attack were the companies in the US,China and India. The package containing the malware was written in the Chinese language.
If you are thinking it’s just a typical breach, then believe me you can’t be any more wrong. Most malware attacks try to breach through the backdoor, but this time the malware breached from the front door by using credentials. Weak username and password were one of the main culprits that lead to the breach in the system, proving once again the need for strong password and username. Guardicore said that the malware also used advanced technological capabilities such as apexp.exe etc which took advantage of kernel-mode vulnerability to execute code with SYSTEM privileges.
The malware attack worked in three ways
- Detect MS-SQL servers by checking open MS-SQL ports.
- Breach MS-SQL machines by commonly used credentials [the main reason]
- Execute the MS-SQL commands on the machines.
This level of sophistication used in the attack is pretty high, but this could have been prevented by avoiding the use of a common username and password. The ‘Nansh0u campaign’ was a brute force attack which exploited the vulnerability of the servers and our carelessness. Another important thing to note about this attack is the use of advanced techniques by hackers, which is at the level of state-level cyber weaponry which is, to be honest a pretty worrying thing for the people.