Cybersecurity Threat Advisory 0028-19: Windows MS-SQL and PHPMyAdmin based servers are taken over by Nansh0u Malware
What is the threat?
A recent malware campaign is targeting Windows MS-SQL and PHPMyAdmin based servers using different techniques. According to Guardicore Labs, the malware has breached over 50,000 servers that belong to companies in the healthcare, telecommunications, media and IT sectors. The malware uses more than 20 different payloads for its campaign to compromise the machines and runs malicious scripts for crypto-mining.
Why is this noteworthy?
Thousands of companies are using Windows MS-SQL and PHPMyAdmin servers. Upon successfully compromising the accounts the attacker will be able to gain full access and save the server’s address, username and password for future use. The attackers can also execute malicious payload once they have access to the system or even install ransomware on the systems.
What is the exposure or risk?
Guardicore Labs said that attackers are starting with series of authentication attempts to a MS-SQL server using tens of thousands of common credentials targeting accounts with weak passwords. Once they successfully compromise the account, the attackers start downloading malicious scripts to gain administrative privileges. Once the attacker has these privileges, they start by installing rootkits which are hidden from the AV software and then running another script for crypto-mining.
What are the recommendations?
SKOUT has already embedded the malware’s IoCs into our customer’s SIEMs to pick up any suspicious activity. SKOUT also recommends users to have strong passwords for all accounts and ensuring that anti-malware solution is installed and is up to date with the latest signatures. We also recommend behavior-based detection capabilities such as Cylance for effective protection against future unknown threats, including zero-day exploits.