+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Nansh0u – anatomy of a cyber attack

Nansh0u is a crypto-mining attack which has infected 50,000 MSSQL servers since February 2019

It is notable because its primary attack vector is poor SecOps on the part of victims and not a vulnerability per se

First detected by security firm Guardicore, Nansh0u was observed infecting some 700 new servers each day.  A study of how this campaign operates provides some useful lessons for Security Managers.

Nansh0u is a crypto-mining attack – its purpose is to install software that mines crypto-currency on your servers.  The main cost in mining crypto-currency is the cost of the server and the electricity to run it.  If attackers can install their mining software on your server, they can literally print money at your expense.

The attack progresses in four distinct phases:

  1. Target acquisition – where the target servers are located on the internet
  2. Break in – where access is gained to the target server
  3. Beachhead – installation of the malware tools
  4. Exploit – running the crypto-mining software on your server

At each phase of the attack there is an opportunity for your security practices and procedures to protect against attacks like this.  Below we list in more detail what happens during each phase and steps you can take to mitigate the attack and protect your network.

Step 1 – Target Acquisition

The first step of the campaign uses a port scanning tool to identify MSSQL servers which are directly connected to the internet on well-known ports. The results of this scan are then fed into step 2.

There are numerous port scanning tools available as well as a search engine called Shodan which specialises in listing internet connected devices.  For example, this query shows all MS-SQL Server instances Shodan has indexed which are connected to the internet.  (You have to create a free account to be able to use this type of query on the site)

How to protect your systems against Nansh0u:

  • Use an external network vulnerability scan to identify any devices in your network that are visible on the Internet when they should not be.
  • If it is necessary to allow traffic from the internet to connect to a particular server, consider using a VPN or Firewall rules to only allow trusted source IP addresses or trusted devices to connect to that server.
  • Rarely, if ever, is the right decision to publish the SQL Server directly onto the internet allowing anyone to connect to it and attempt to login.

Step 2 – Break in

The access to the MSSQL server is not dependent on exploiting any vulnerability, rather it relies on simple brute-forcing to guess the passwords to achieve a login.  Nansh0u uses a brute-forcing module which combines a list of well know passwords with random guesses to login to the MSSQL server.

How to protect your database server from attack:

  • Do not use weak passwords for MSSQL user accounts. MSSQL has its own internal set of user accounts which can be used independently of Active Directory. This can mean MSSQL user accounts which were created during installation and testing are accidentally forgotten and left active – available for exploitation later.
  • Review all MSSQL accounts and suspend or delete those which are no longer needed
  • Ensure the SA account and any admin level accounts have strong passwords.
  • Review Microsoft’s security best practice policy documents for MSSQL security

Step 3 – Beachhead

Once a successful login has been achieved, the attacker runs a number of scripts to reconfigure the MSSQL server, download a malicious payload and execute it.  The payload that is downloaded includes an executable that exploits a known privilege escalation vulnerability CVE-2014-4113

How to protect your servers against malware:

  • Ensure security patches for both operating system and server software are installed promptly – ideally within 30 days of publication.
  • Use file/folder change detection software to raise an alert when new files are unexpectedly installed onto your servers. (This is a requirement of PCI-DSS)

Step 4 – Exploit

Once the payload has been installed it is executed which installs a crypto-miner for TurtleCoin.  It also installs several support tools and a rootkit which ensure the mining software cannot be terminated or uninstalled easily.

The malware made use of a signed malicious kernel mode driver as part of its rootkit.  This driver protected the mining processes and prevents the user from terminating them. (This malware has since been reported to the issuer of the digital certificate used for the signing and the cert has been revoked by Verisign.)  The driver creates a device named SA6482, in order to enable processes to communicate with it. The device receives process IDs (PIDs) meant to be protected – in this case, the crypto-miner PID.

The point of the Nonsh0u attack is not to hold you to ransom or steal your data but rather to steal your CPU cycles and mine crypto-currency.

How to protect your systems against crypto-miners:

  • Monitor system utilisation and review high-CPU load and memory consumption – investigating any unexpected increases as part of normal service operations hygiene.

The Nansh0u campaign is notable as it contains a combination of highly sophisticated malware (such as you might expect to see deployed by a nation state actor) and more clumsy scripts containing typos.  You can imagine how this may have been cobbled together by a less sophisticated hacker who managed to gain access to the sophisticated tools.  This illustrates how the threat of cyber-attack is continuously increasing because the most powerful tools are trickling down the cyber food chain to less capable actors.

In a world where powerful tools are packaged up and come with video tutorials the barrier to entry for cyber-criminals is falling, and falling fast.

For more information on the Nansh0u attack, the GitHub repository containing the Indicators of Compromise and related data lives here.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top