Website security audits specialists have detected a long-range cryptojacking campaign; it is reported that the threat actors behind this campaign, allegedly Chinese hackers, have already infected more than 50k servers in less than four months.
Researchers have dubbed this campaign of
attacks as “Nansh0u” because of a string of text files on the
attacker’s servers; “this is not a regular cryptocurrency-mining campaign”,
the specialists say.
The malware distributed by attackers is used to
mine an open source code cryptocurrency called TurtleCoin; to deploy the mining
software attackers have decided to resort to sophisticated techniques mainly
used by groups of government-sponsored hackers, such as the use of certificates
and multiple different versions of the payload.
“So far we have identified more than 50k
compromised servers belonging to companies in various sectors, such as
telecommunications, health care, media and IT companies”, commented the
website security audits specialists. According to the report of the
investigators, after the server is infected the mining software is loaded and a
rootkit is installed to guarantee the persistence of the malware.
As for the search for targets for the attack,
hackers scan the Internet to locate open ports on MS-SQL servers and then gain
access using brute
force attacks. Subsequently, hackers execute arbitrary commands on
compromised systems and unload payloads and mining software from a remote
The main goal of the attackers is the cryptocurrency
mining, the website security audits specialists mentioned. However, it is not
ruled out that, as a result of the attack techniques used, hackers get
information about the compromised servers that may be useful in future attacks.
Due to the characteristics of TurtleCoin, which is a virtual asset with a
specific focus on privacy, it is difficult to calculate the revenue that this
campaign has generated for the attackers.
Experts from the International Institute of
Cyber Security (IICS) consider this to be one more example of the need to
implement more reliable authentication measures in critical systems. For
malicious hacker groups it is relatively easy to break the security of the username-password
formula, so admins need to consider other authentication methods.