Nansh0u campaign targets Windows MS-SQL and PHPMyAdmin servers

Nansh0u campaign targets Windows MS-SQL

A China-based cyber campaign dubbed “Nansh0u” has targeted tens of thousands of unsecured Windows MS-SQL and PHPMyAdmin servers worldwide.

According to a research report by Guardicore Labs, Nansh0u has successfully compromised nearly 50,000 systems in the healthcare, telecommunications, media and IT sectors.

The attackers were then able to infect malicious payloads onto compromised systems to install a crypto-miner and a sophisticated kernel-mode rootkit to prevent the termination of the malware. Twenty different payloads were also used in the campaign.

Guardicore first spotted Nansh0u activity in April, but later found attacks using similar patterns started a couple months earlier in February this year.

The attack flow of the Nansh0u campaign consists primarily of four stages:

  1. Port scan: detect MS-SQL servers with ports open to the internet
  2. Brute force: breach MS-SQL servers using commonly used and weak credentials
  3. Attack: execute commands on victim servers
  4. Infection: download malicious payloads and miners from remote file server under control of attacker.

The attackers have used two executables (apexp.exe and apexp2012.exe) and versions for privilege escalation (PE) exploits. Each of these two malicious files are used to exploit a known privilege escalation vulnerability (CVE-2014-4113). The passing of any program to these executables will run with SYSTEM privileges.

Organizations should review this campaign as another lessons learned to close down “weakest links” and harden their SQL/database systems from attacks, such as limiting open SQL ports and implementing strong passwords.

“Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions,” Guardicore noted.

You can read more technical details about the campaign in the Guardicore blog post. Also, see our previous post on how attackers have targeted MySQL systems exposed to the internet and install GandCrab malware.