Top
You are here: Home / IT / Nansh0u and Your SQL Server

By

As of May 30, 2019

There has recently been discovered an Advanced Persistent Threat (APT) that is being called Nansh0u. This group targets SQL Servers and PHPMyAdmin management software. Current estimates put the number of infected servers at 50,000, and because Nansh0u constantly updates their malware, this is likely to prevent easy classification by anti-virus programs. Common targets have been in the healthcare, telecommunications, media and IT sectors.

Nansh0u is able to get access to the targeted servers by running a brute-force attack on the “sa” or “root” usernames with commonly used passwords. After logging into the server, as an administrative account, Nansh0u executes SQL commands to download and execute malicious code as the SYSTEM user on the server. Nansh0u also installs a rootkit signed by Verisign to maintain a presence on the server. Identified executables are apexp.exe and apexp2012.exe. These executables target CVE-2014-4113 : Win32k.sys privilege escalation vulnerability. The main goal of Nansh0u appears to mine cryptocurrency, at present, but researchers noticed downloaded payloads saved to AppData/Local/Temp with file names similar to what is found in ransomware.

Researchers have posted a Powershell script online to help System Administrators determine if Nansh0u Indicators of Compromise are on their machines.

This information can be found here: https://github.com/guardicore/labs_campaigns/blob/master/Nansh0u/detect_nansh0u.ps1

The list of Indicators of Compromise, along with instructions for remediation, is here: https://github.com/guardicore/labs_campaigns/tree/master/Nansh0u

Many database applications, including some of your HCSS products use a SQL server to store the application’s database. If others were to expose these Windows vulnerabilities beyond crypto targets (and ransomware is able to hold your SQL database hostage), this could disable your application and your connected backups. We recommend that proper precautions are taken to avoid commonly used passwords (listed in the link above), ‘sa’ password requirements are elevated, and design a plan to protect your external facing ports.

We have a private HCSS community for IT professionals where many of our IT users discuss, ask each other questions, and engage how to protect their company’s data. If you have helpful hints or are looking for information from your peers, you can be a part of the IT discussions here.

Microsoft’s Guide to Securing SQL Servers can be found by clicking here.

Footer

About Us

HCSS is the trusted leader in estimating, operations, and fleet software. Since 1986, HCSS has been helping customers dramatically improve their business with solutions to support the entire life cycle of their construction projects. We stand behind our products with 24/7 instant support from our headquarters in Sugar Land, TX.

Quick Links

Academy Quick Links

Contact Us

Estimating Support: 1-855-231-7876

Operations Support: 1-855-231-7878

Fleet Support: 1-855-231-7877

Email Support: Contact Us

Social

RSS HCSS Success Blog