Cryptojacking campaign has infected over 50k servers

Website security audits specialists have detected a long-range cryptojacking campaign; it is reported that the threat actors behind this campaign, allegedly Chinese hackers, have already infected more than 50k servers in less than four months.

Researchers have dubbed this campaign of attacks as “Nansh0u” because of a string of text files on the attacker’s servers; “this is not a regular cryptocurrency-mining campaign”, the specialists say.

The malware distributed by attackers is used to mine an open source code cryptocurrency called TurtleCoin; to deploy the mining software attackers have decided to resort to sophisticated techniques mainly used by groups of government-sponsored hackers, such as the use of certificates and multiple different versions of the payload.

“So far we have identified more than 50k compromised servers belonging to companies in various sectors, such as telecommunications, health care, media and IT companies”, commented the website security audits specialists. According to the report of the investigators, after the server is infected the mining software is loaded and a rootkit is installed to guarantee the persistence of the malware.

As for the search for targets for the attack, hackers scan the Internet to locate open ports on MS-SQL servers and then gain access using brute force attacks. Subsequently, hackers execute arbitrary commands on compromised systems and unload payloads and mining software from a remote server. 

The main goal of the attackers is the cryptocurrency mining, the website security audits specialists mentioned. However, it is not ruled out that, as a result of the attack techniques used, hackers get information about the compromised servers that may be useful in future attacks. Due to the characteristics of TurtleCoin, which is a virtual asset with a specific focus on privacy, it is difficult to calculate the revenue that this campaign has generated for the attackers.

Experts from the International Institute of Cyber Security (IICS) consider this to be one more example of the need to implement more reliable authentication measures in critical systems. For malicious hacker groups it is relatively easy to break the security of the username-password formula, so admins need to consider other authentication methods.