Cyber weapons readily available to criminals, researchers warn

China-based cyber attackers have breached more than 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors using sophisticated attack tools, security researchers warn.

The machines were compromised as part of a cyber attack campaign targeting Windows Microsoft SQL Server and PHPMyAdmin servers worldwide, according to the researchers at Guardicore Labs, who tracked the campaign for a month, in which the number of infected machines doubled.

The attackers used a port scanner that has been known since 2014 to detect MS-SQL servers by scanning IP addresses and checking whether typical MS-SQL ports were open.

Once compromised using commonly used credentials in brute force attacks, the researchers said the targeted servers were infected with malicious payloads, which dropped a cryptocurrency miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

The attack group behind the campaign, dubbed Nansh0u, deployed 20 different payload versions, with new ones created at least once a week, the researchers said in a blog post.

Each payload, the researchers said, was a wrapper with several functions, including executing the cryptocurrency miner; creating persistency by writing registry run-keys; protecting the miner process from termination using a kernel-mode rootkit; and ensuring the miner’s continuous execution using a watchdog mechanism.

The researchers have published a list of indicators of compromise (IoCs) for the campaign, including a script to detect infected machines.

The campaign was halted after the researchers contacted the hosting provider to take down the attack servers and the issuer of the rootkit certificate to revoke the certificate.

According to the researchers, the campaign demonstrates that while advanced attack tools have normally been the property of highly skilled adversaries, these tools can fall into the hands of lower order attackers.

“It appears that tools, which until recently belonged to nation state-level hackers, are today the property of even common criminals,” the researchers said.

The attacks on the Windows MS-SQL servers were enabled by weak usernames and passwords for authentication, the researchers said, adding that having strong credentials is the difference between an infected and a clean machine.

“This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organisations protect their assets with strong credentials,” the researchers said.

They also advise companies using MS-SQL to implement the recommendations set out in Microsoft’s guide as well as separating internet-exposed servers from internal servers as much as possible by segmenting the network.