As of May 30, 2019
There has recently been discovered an Advanced Persistent Threat (APT) that is being called Nansh0u. This group targets SQL Servers and PHPMyAdmin management software. Current estimates put the number of infected servers at 50,000, and because Nansh0u constantly updates their malware, this is likely to prevent easy classification by anti-virus programs. Common targets have been in the healthcare, telecommunications, media and IT sectors.
Nansh0u is able to get access to the targeted servers by running a brute-force attack on the “sa” or “root” usernames with commonly used passwords. After logging into the server, as an administrative account, Nansh0u executes SQL commands to download and execute malicious code as the SYSTEM user on the server. Nansh0u also installs a rootkit signed by Verisign to maintain a presence on the server. Identified executables are apexp.exe and apexp2012.exe. These executables target CVE-2014-4113 : Win32k.sys privilege escalation vulnerability. The main goal of Nansh0u appears to mine cryptocurrency, at present, but researchers noticed downloaded payloads saved to AppData/Local/Temp with file names similar to what is found in ransomware.
Researchers have posted a Powershell script online to help System Administrators determine if Nansh0u Indicators of Compromise are on their machines.
This information can be found here: https://github.com/guardicore/labs_campaigns/blob/master/Nansh0u/detect_nansh0u.ps1
The list of Indicators of Compromise, along with instructions for remediation, is here: https://github.com/guardicore/labs_campaigns/tree/master/Nansh0u
Many database applications, including some of your HCSS products use a SQL server to store the application’s database. If others were to expose these Windows vulnerabilities beyond crypto targets (and ransomware is able to hold your SQL database hostage), this could disable your application and your connected backups. We recommend that proper precautions are taken to avoid commonly used passwords (listed in the link above), ‘sa’ password requirements are elevated, and design a plan to protect your external facing ports.
We have a private HCSS community for IT professionals where many of our IT users discuss, ask each other questions, and engage how to protect their company’s data. If you have helpful hints or are looking for information from your peers, you can be a part of the IT discussions here.
Microsoft’s Guide to Securing SQL Servers can be found by clicking here.
Leave a Reply