Wed. Aug 12th, 2020

Hackers infected over 50,000 MS-SQL and PHPMyAdmin servers with rootkit

2 min read

Guardicore Labs security researcher has released a report, the report on the attack Windows MS-SQL Server and PHPMyAdmin on a global scale hacking, codenamed “Nansh0u”, and this is the source of the attack by Chinese hackers.

According to the report, more than 50,000 servers, including healthcare, telecommunications, media, and IT companies, were attacked, and once attacked, target servers were infected with malicious payloads. The hacker also installed a complex kernel-mode rootkit to prevent malware from being terminated. This is not a typical cryptographic attack. It uses techniques that are common in APT (Advanced Persistent Threat, which is essentially targeted attacks), such as fake certificates and privilege escalation vulnerabilities.

The attack was first discovered in early April, but dates back to February 26, with more than 700 new victims every day. The researchers found that there were more than 20 different effective malicious payloads, during which at least one new malicious payload was created each week, and the number of infected computers doubled in a month.

After successful login authentication with administrative privileges, an attacker executes a series of MS-SQL commands on the infected system to download a malicious payload from a remote file server and run it with SYSTEM privileges. In the background, the payload leverages the known privilege elevation vulnerability (CVE-2014-4113) to get the SYSTEM privilege on the infected system. The payload then installs cryptocurrency mining malware on the infected server to mine the TurtleCoin cryptocurrency.

The researchers also released a complete list of IoC and a free PowerShell-based script that Windows administrators can use to check if their system is infected.

Because the attack relies on a weak username and password combination for the MS-SQL and PHPMyAdmin servers, it is highly recommended that the administrator set a complex password for the account.

Source, Image: guardicore