Over 50,000 servers around the world have been infected with crypto-coin-mining malware scripts attacking Windows MS-SQL and PHPMyAdmin worldwide.
The exploit was disovered by Guardicore labs who have dubbed it Nansh0u. The malicious campaign is reportedly being carried out by a Chinese hacking group who has are also installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.
The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.
The attack itself uses relatively low-tech methods to get into the targeted boxes. The attack server first scans for servers with open SQL Server ports and then attempts to brute-force the password. Upon successful login authentication with administrative privileges, the attackers execute a sequence of MS-SQL commands on the compromised system to download a malicious payload from a remote file server and run it with SYSTEM privileges to implant a kernel-mode rootkit to prevent the malware from being terminated on the victim server.
In the background, the payload leverages a known “elevation of privilege” escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.
Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.
The payload then installs a cryptocurrency mining malware on compromised servers that mines TurtleCoin cryptocurrency in the background.
The Guardicore team found that the malware had used cryptographically signed driver-level rootkits that were last spotted as part of sophisticated Beijing-backed hacking operations.
We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology. In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.
Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, administrators are advised to always keep a strong, complex password for their accounts.