Security researchers at Tel Aviv-based security specialist Guardicore say they have identified a malicious campaign by a Chinese hacker that infected over 50,000 Windows MS-SQL and PHPMyAdmin servers around the world with malware, in a campaign characterised by a strange combination of sophistication and dozy incompetence.
Companies in the healthcare, telecoms, media and IT sectors were all breached, the company says, with a significant number of the targeted servers infected with malicious payloads that installed a kernel-mode rootkit to prevent the malware (typically a crypto miner) from being terminated. This kernel driver had a digital signature issued by Verisign and came “protected and obfuscated” with VMProtect, a software tool that attempts to frustrate reverse engineers and malware researchers.
The Chinese hackers used a port scanner, MS-SQL brute-force tool and then a remote code executor to deploy the malware, starting cracking passwords and logins by testing for tens of thousands of common credential combinations.
Guardicore: Clever, But Chinese Hackers Left “Whole Infrastructure on a File Server with no Activated Authentication Controls”
Lead researchers on the project Ophir Harpaz and Daniel Goldberg first identified the malicious campaign in April, saying three attacks with South African source IP addresses and flagged by the company’s global sensor network caught their attention.
They then found attacks with a similar pattern dating back to February 26, with over seven hundred new victims per day, with 20 malicious payload versions; new payloads being created at least once a week and used immediately after their creation time.
The two said today in a detailed blog on the campaign: “The Nansh0u campaign is not a typical crypto-miner attack. It uses techniques often seen in APTs such as fake certificates and privilege escalation exploits… “
They added: “Another example [of its sophistication] is the driver dropped by the different payloads. Obtaining a signed certificate for a packed driver is not at all trivial and requires serious planning and execution. In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.”
They then contacted the hosting provider of the attack servers to get them pulled down – but not before waltzing in with minimal difficulty through the front door.
Pointing to “several odd SecOps decisions taken by the attacker” they wrote: “Attackers usually do not keep their whole infrastructure on a file server with no activated authentication controls. Logs, victims lists, usernames, binary files – we had them all in a mouse click. In addition, all binary files had their original timestamps; an experienced malware author would have tampered with those to complicate the analysis process.”
Details of the Attack
After brute forcing the servers, the attacker used a sequence of MS-SQL commands to accomplish the following (numbers in brackets indicate the relevant lines of code):
Configure server settings to allow a “smooth” and errorless attack flow ;
Create a Visual-Basic script file in c:\ProgramData\2.vbs ;
Execute this script and download two files to c:\ProgramData over HTTP ; and
Run the two files in one command-line .
They used exploits of a known privilege escalation vulnerability (CVE-2014-4113). Passing any program to these executables will run it with SYSTEM privileges.
The primary exploit they used, apexp.exe is known as tbe Apolmy exploit and it affects both Desktop and Server versions of Windows (XP to 8.1 and 2003 to 2012 R2, respectively), Guardicore reported.
The two security researchers, who described it as “a weaponized exploit with production-level code”, said they have provided a complete IoC repository [Indicator of Compromise] for the campaign, including an open source PowerShell script script to detect infected machines.