What a headline, huh?
That’s quite the number of infected servers found during a recently discovered and tracked malware campaign. At a very high level, this campaign focused on mass-scanning servers for specific services, cataloguing servers that responded, then feeding that list into a password brute force tool. Once infiltrated, malicious payloads were used to perform additional actions; i.e., facilitating cryptominers and known privilege-escalation vulnerabilities granting access to privileged system accounts.
Going to a slightly deeper level, this approach is a great example of multi-staged malware delivery. This tactic entails an initial attempt to compromise a system by getting past weak authentication credentials using brute force techniques – strong emphasis on weak. Once in and with as little reason to raise suspicion to bypass other security measures, the next steps allowed for downloading and executing nefarious scripts. This consisted of installing rootkits preventing the termination of the cryptomining process; the rootkit bypassed OS security measures using a valid digital certificate from Verisign, a Certificate Authority.
Let’s Expand on That
The Guardicore Labs team detailed their investigation of tracking a Chinese-based campaign, named Nansh0u, for two months. The Nansh0u campaign has been targeting Windows MS-SQL and PHPMyAdmin servers worldwide primarily in the healthcare, telecommunications, media and IT sectors. Based on the initial detection of this campaign, Guardicore Labs back-tracked the approach that grabbed their attention and found these attacks dating back to February 26.
This revealed the threat actors’ continuous work. Not only were more and more infected victims every day but payloads were being revised weekly amounting to 20 unique payloads. Further, Guardicore Labs tracked down five attack servers and six connect-back servers. After reporting the incidents, the hosting provider hosting the attack servers took them down and revoked their certificates. Verisign also revoked the rootkit’s digital certificate.
On a positive note, Guardicore Labs internally developed tools to combat this campaign – offering their indicators of compromise repository as well as a script used to detect if a machine was indeed infected.
There is a strong emphasis on not leaving critical servers exposed to the entire Internet. Consider either NAT’ing these servers, using a VPN, or at the very least utilizing an MFA solution. As a WatchGuard customer, all of these options are available using a Firebox. The second step in this attack was using brute force attacks, which focus on rapidly attempting to authenticate credential-protected servers using the most common usernames and passwords. WatchGuard’s MFA solution – AuthPoint – is available for all, current customer or not. What’s neat is that there’s no need for additional hardware installations!