The Chinese APT grouping injects cryptocurrency miners and rootkits into MS-SQL and PHPMyAdmin Windows servers around the world. According to specialists from Guardicore Labs , since February 2019, attackers have been able to compromise more than 50,000 servers.
The malicious campaign was named Nansh0u. The attackers hack Windows MS-SQL and PHPMyAdmin servers using brute-force, and then infect them with malware. Total experts found 20 versions of malicious modules.
“After successful authorization with administrator rights, attackers downloaded a malicious payload from a remote server, which, through the CVE-2014-4113 vulnerability in the win32k.sys driver, was launched with SYSTEM privileges. After that, the malicious module loaded the TurtleCoin cryptocurrency mining program, ”said Guardicore Labs.
To prevent the completion of the process, the expired digital certificate of the dummy company Hangzhou Hootian Network Technology, issued by Verisign certification center, was used.
Specialists from Guardicore Labs note that servers with unreliable credentials are in the first place at risk. To check the system for the presence of malware, experts recommend using a free script .
Earlier in May, the Firefox browser implemented protection against hidden mining.
Subscribe to BlockchainJournal news on VK !
BlockchainJournal.news
BlockchainJournal.news
