New China-Based Campaign Targets Windows MS-SQL and Phpmyadmin Servers Worldwide

New China-Based Campaign Targets Windows MS-SQL and Phpmyadmin Servers Worldwide
A china based attack campaign has primarily targeted on
servers having a place with the healthcare, telecommunications, media, and IT
segments. The campaign named as Nansh0u is known to target Windows MS-SQL and
PHPMyAdmin servers around the world.
Despite the fact that the campaign was detected towards the
start of April, however the attacks were observed to go back to February 26.
All through the campaign the threat actors used 20 unique payloads, and
continued making at least one payload a week and utilized them right away.
More than 50,000 servers were reported to be breached in
this campaign, when the targeted servers compromised they were infected with a
rather pernicious payload, which thusly drops a crypto-miner that mines
TurtleCoin and sophisticated kernel-mode rootkit.
The hackers behind this campaign utilize propelled systems
pursued by APTS groups, like the ‘fake certificates and privilege escalation
exploits’ so to state the Nansh0u campaign isn’t only a crypto-miner attack.
The attack begins with a serious of login endeavors
targeting MS-SQL servers in order to gain administrator privileges. Attacker’s
infrastructure consolidates the following modules to dispatch an attack on
MS-SQL servers.
  • Port scanner
  • MS-SQL brute-force tool
  • Remote Code Executor

And by analysing the 20 payload samples from the attacker’s
servers and Guardicore Global Sensor Network, each payload is a wrapper and has
several functionalities.
The reasons being why the researchers are quite confident in
accessing that Chinese attackers have operated this campaign are:
  •  The attacker choosing
    to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs
    in Chinese.
  • Many log files and binaries on the servers included Chinese
    strings, such as (“duplicates removed”) in logs containing breached machines,
    or (“start”) in the name of the script initiating port scans.

Share this with Your friends:

Leave a Reply

Your email address will not be published. Required fields are marked *