The Chinese APT group injects cryptocurrency miners and rootkits into MS-SQL and PHPMyAdmin Windows servers around the world. According to specialists from Guardicore Labs, since February 2019, attackers have been able to compromise more than 50,000 servers.
Number of Infections Over Time - The Nansh0u Campaign
The malicious campaign was named Nansh0u. The attackers hack Windows MS-SQL and PHPMyAdmin servers using brute-force, and then infect them with malware. Experts found 20 versions of malicious modules.
To prevent the completion of the process, the expired digital certificate of the dummy company Hangzhou Hootian Network Technology, issued by Verisign certification center, was used.
Nansh0u Campaign Attack Flow
This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions.
Specialists from Guardicore Labs note that servers with unreliable credentials are in the first place at risk. To check the system for the presence of malware, experts recommend using a free script.