Within the last four months, Hackers were able to infect over 50,000 servers using a unique mining malware system. The malware system was previously used to mine for Turtlecoin as one of the cryptojacking campaign known as “Nansh0u Camaign”.
According to research done by Guardicore Labs a cybersecurity firms, the campaign was detected around early April but has been ongoing for several months now, this has been spreading fast with over 700 new victims per day, across the world with hackers target being the IT sectors, media, telecoms, firms, healthcare.
As the analysis explains:
“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
In April, similar attack was encountered where by the IP addresses originated from South Africa. Reportedly, hackers used the same attack and breach method. Reportedly, in every one week about 20 harmful payloads are created and put to use as soon as they are finished. In addition, the malware had rootkits that enabled it to run undetected.
To install the rootkit, hackers used attack severs and a rootkit certificate where later on removed and cancelled. In their report, researchers stated that the sophisticated tools were written in Chinese language together with the server.
“The NanshOu campaign is not a typical crypto-miner attack. It uses technical often seen in APTs (advanced persistent threats) such as fake certificate and privilege escalation exploits. While advanced attack tools have normally been the property of highly skilled adversaries, this campaign shows that these tools can now easily fall into the hands of less than top-notch attackers.”
The firm concluded that the campaign shows that the common- utilizing credentials cannot protect company assets since the hackers can easily access them. The attacker’s process is to seek MS-SQL severs through scanning IP address to open MS-SQL ports. Later on, use force methods to breach exposed machines.
They use thousand common credentials to login to MS-SQL server, once the operation is complete the server’s address, username and password are saved and filed to be used later on.
The campaign demonstrates that using common passwords still comprises the weakest link in today’s attack. The researchers added:
“Seeing tens of thousands of servers comprises by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation.”