Nansh0u Cryptomining Campaign

Nansh0u is a cryptocurrency mining campaign that is targeting servers around the world running Microsoft SQL Server and phpMyAdmin.

Threat ID:: CC-3076
Category:: Miner
Threat Severity:: Low
Threat Vector:: Exploit, Insecure network
Published:: 31 May 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Nansh0u is a cryptocurrency mining campaign that is targeting servers around the world running Microsoft SQL Server and phpMyAdmin.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows Server

Windows servers running Microsoft SQL Server or phpMyAdmin

Threat details

The threat actors gain access to vulnerable servers using a port scanning tool and a brute force tool to login with commonly-used credentials. Scripts are then used to download and launch malicious payloads on the servers with elevated privileges by exploiting an old Windows Server vulnerability.

Each payload executes the XMRig and JCE cryptocurrency miners to produce TurtleCoin. Registry keys are then added to launch the miners at system startup. A kernel-mode rootkit is sometimes installed to prevent termination of the mining processes, and the continuous execution of the miners is monitored.

For further information:

Microsoft Security Bulletin MS14-058

Remediation steps

Type	Step
	Users and administrators are encouraged to review Microsoft Security Bulletin MS14-058 and apply the necessary updates immediately. Security researchers have also released a Powershell script to detect traces of an attack. Please note that NHS Digital have not tested or verified this script and organisations use it at their own risk. Additionally, to prevent and detect an infection, ensure that: All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

Users and administrators are encouraged to review Microsoft Security Bulletin MS14-058 and apply the necessary updates immediately. Security researchers have also released a Powershell script to detect traces of an attack. Please note that NHS Digital have not tested or verified this script and organisations use it at their own risk.

Additionally, to prevent and detect an infection, ensure that:

All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:53 pm