The Nansh0u Campaign - Hackers Arsenal Grows Stronger (May 29, 2019)
Guardicore Labs have been monitoring a Chinese-based attack that seeks to infect MS-SQL and PHPMyAdmin servers to drop a crypto-miner. The attacks appear to have begun around February with 20 versions of payload being utilized to date. The targets of the campaign include IT, healthcare, media and telecommunications with over 50,000 infected servers. The MS-SQL attacks were comprised of three components - a port scanner, MS-SQL brute-force tool, and a remote code executor. This attack uses cyber weapons that would previously be used in nation state attacks, however they are becoming more accessible to non-state actors.
Recommendation: Having strong credentials is highly important in protecting against these attacks, as having weak username and passwords may enable to conduct brute-force attacks. Database servers should follow guidelines to ensure they are secure and Internet-exposed servers should be separated from internal servers.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.