50,000 MS-SQL and PHPMyAdmin Servers Infected with Cryptocurrency Mining Malware, Researchers Found
Researchers at Guardicore revealed that 50,000 Microsoft SQL and PHPMyAdmin servers from different parts of the world and belonging to companies in the healthcare, telecommunications, media and IT sectors had been compromised and infected with a cryptocurrency mining malware – malicious software that secretly uses someone else’s computer for cryptocurrency mining.
Cryptocurrency mining performs a dual function: first, for approving transactions, and second, for releasing new cryptocurrency into circulation. In many countries, cryptocurrency mining isn’t illegal. In countries where cryptocurrency mining is allowed, cryptocurrency mining is only illegal when this is done without the explicit permission from the computer owner – an act known as cryptojacking.
In 2017, during the unprecedented rise of cryptocurrency prices, especially the top cryptocurrency Bitcoin, the number of cryptojacking cases also increased. In 2018, when the cryptocurrency prices dwindled, the number of cryptojacking cases also decreased.
In early 2019, most cryptocurrency prices reached their bottom. In recent months, however, cryptocurrency prices have begun to recover. The discovery by Guardicoreresearchers of the 50,000 MS-SQL and PHPMyAdmin servers infected by the cryptocurrency mining malware called “Nansh0u” is a sign that malicious actors are once again targeting vulnerable computing resources for illicit cryptocurrency mining.
Nansh0u Cryptocurrency Malware
While Guardicore researchers, Ophir Harpaz and Daniel Goldberg, determined that 50,000 Microsoft SQL and PHPMyAdmin servers were infected with Nansh0u malware, in analyzing the malware in the write-up “The Nansh0u Campaign – Hackers Arsenal Grows Stronger”, the researchers only focused on how the attackers compromised and infected Microsoft SQL servers. “The attacker’s infrastructure contained modules relevant only to the MS-SQL attacks,” Harpaz said.
SQL, which stands for structured query language, is a computer language used for requesting information from a database. MS-SQL, short for Microsoft SQL server, is one of the popular database platforms that uses SQL and as the term suggests, developed by Microsoft. It initially ran only on Windows operating systems. Microsoft, however, made this available for Linux users.
According to Guardicore researchers, attackers compromised vulnerable MS-SQL by scanning the internet for open MS-SQL ports. The port scanner used by the attackers has been known since 2014. Once an open MS-SQL port is spotted, the attackers then try to breach it through brute-force, a trial-and-error method of guessing the correct username and password. Nansh0u’s attackers successfully breached thousands of MS-SQL by automatically trying out tens of thousands of common usernames and passwords.
Once the attackers gain access to MS-SQL, they then execute MS-SQL commands and download payloads (a component of the malware that executes the malicious activities) and the cryptocurrency mining code to mine the cryptocurrency called “TurtleCoin” from a remote file server.
According to Guardicore researchers, the Nansh0u campaign’s infection process exhibits both marks of a sophisticated attacker or attackers as well as marks of novice attackers. The campaign made use of a kernel mode driver to prevent the malware from being terminated as most antivirus solutions don’t detect the driver file as malicious. The driver also had a digital signature issued by the top Certificate Authority Verisign to a fictitious company called “Hangzhou Hootian Network Technology”.
In addition, this driver supports almost every version of Windows from Windows 7 to Windows 10, including beta versions. “This exhaustive coverage is not the work of a hacker writing a rootkit for fun,” the researchers said.
While the Nansh0u campaign exhibits sophisticated process, it also features novice steps such as keeping the malware campaign infrastructure on a file server with no activated authentication controls, and in just one click, logs, victims lists, usernames and binary files could be accessed. In addition, the said binary files had their original timestamps, whereas sophisticated attackers would have tampered those timestamps to complicate the analysis process.
Dave Klein, senior director of engineering and architecture at Guardicore, told Threatpostthat the choice of the Nansh0u attackers to secretly mine the cryptocurrency TurtleCoin is rather “unusual”. Launched in December 2017, TurtleCoin is a relatively new cryptocurrency compared to Monero, the favorite cryptocurrency of cryptojacking attackers in the past.
Monero and TurtleCoin, however, are both privacy coins, which means transactions are private and as such no one can keep track of the transactions. There’s no way, therefore, to determine which TurtleCoin addresses were recipients of these illicit cryptocurrency mining or how much did the attackers made out of the Nansh0u campaign.
The Guardicore researchers said that the Nansh0u campaign started on February 26, this year with over seven hundred new victims per day. Coinciding with the price rise of the cryptocurrency Bitcoin in April this year, Nansh0u infection rose from 24,087 on April 13, 2019 to 47,985 on May 13, 2019.
The researchers added that the Nansh0u campaign is no longer active as they reached out to Verisign and as a result, the kernel mode drivercertificate was revoked. The attack servers were also taken down as the researchers reached out to the service provider that hosted these attack servers.
How to Protect Against Cryptocurrency Mining Malware
Unauthorized cryptocurrency mining is a big threat to your organization’s servers. Cryptocurrency mining malware that secretly uses your organization’s servers consumes precious computing resources that are meant for critical processes in your organization. Cryptocurrency mining malware also leads to additional energy consumption, resulting in unnecessary costs.
In the case of the Nansh0u campaign, which resulted in the installation of the malicious code that mined the cryptocurrency TurtleCoin, it’s important to note that the attackers were able to initially breach their victims’ Microsoft SQL servers due to the fact that these servers had weak login credentials, that is, these compromised servers used common usernames and password.
One of the cybersecurity best practices, in order to harden your organization’s Microsoft SQL servers, is by using strong usernames and passwords. The use of two-factor authentication (2FA) also adds extra protection for these servers.