Nansh0u is a crypto-mining attack which has infected 50,000 MSSQL servers since February 2019

It is notable because its primary attack vector is poor SecOps on the part of victims and not a vulnerability per se

First detected by security firm Guardicore, Nansh0u was observed infecting some 700 new servers each day.  A study of how this campaign operates provides some useful lessons for Security Managers.

Nansh0u is a crypto-mining attack – its purpose is to install software that mines crypto-currency on your servers.  The main cost in mining crypto-currency is the cost of the server and the electricity to run it.  If attackers can install their mining software on your server, they can literally print money at your expense.

The attack progresses in four distinct phases:

1. Target acquisition – where the target servers are located on the internet
2. Break in – where access is gained to the target server
3. Beachhead – installation of the malware tools
4. Exploit – running the crypto-mining software on your server

At each phase of the attack there is an opportunity for your security practices and procedures to protect against attacks like this.  Below we list in more detail what happens during each phase and steps you can take to mitigate the attack and protect your network.

Step 1 – Target Acquisition

The first step of the campaign uses a port scanning tool to identify MSSQL servers which are directly connected to the internet on well-known ports. The results of this scan are then fed into step 2.

There are numerous port scanning tools available as well as a search engine called Shodan which specialises in listing internet connected devices.  For example, this query shows all MS-SQL Server instances Shodan has indexed which are connected to the internet.  (You have to create a free account to be able to use this type of query on the site)

How to protect your systems against Nansh0u:

• Use an external network vulnerability scan to identify any devices in your network that are visible on the Internet when they should not be.
• If it is necessary to allow traffic from the internet to connect to a particular server, consider using a VPN or Firewall rules to only allow trusted source IP addresses or trusted devices to connect to that server.
• Rarely, if ever, is the right decision to publish the SQL Server directly onto the internet allowing anyone to connect to it and attempt to login.

Step 2 – Break in

The access to the MSSQL server is not dependent on exploiting any vulnerability, rather it relies on simple brute-forcing to guess the passwords to achieve a login.  Nansh0u uses a brute-forcing module which combines a list of well know passwords with random guesses to login to the MSSQL server.

How to protect your database server from attack:

• Do not use weak passwords for MSSQL user accounts. MSSQL has its own internal set of user accounts which can be used independently of Active Directory. This can mean MSSQL user accounts which were created during installation and testing are accidentally forgotten and left active – available for exploitation later.
• Review all MSSQL accounts and suspend or delete those which are no longer needed
• Ensure the SA account and any admin level accounts have strong passwords.
• Review Microsoft’s security best practice policy documents for MSSQL security

Step 3 – Beachhead

Once a successful login has been achieved, the attacker runs a number of scripts to reconfigure the MSSQL server, download a malicious payload and execute it.  The payload that is downloaded includes an executable that exploits a known privilege escalation vulnerability CVE-2014-4113

How to protect your servers against malware:

• Ensure security patches for both operating system and server software are installed promptly – ideally within 30 days of publication.
• Use file/folder change detection software to raise an alert when new files are unexpectedly installed onto your servers. (This is a requirement of PCI-DSS)

Step 4 – Exploit

Once the payload has been installed it is executed which installs a crypto-miner for TurtleCoin.  It also installs several support tools and a rootkit which ensure the mining software cannot be terminated or uninstalled easily.

The malware made use of a signed malicious kernel mode driver as part of its rootkit.  This driver protected the mining processes and prevents the user from terminating them. (This malware has since been reported to the issuer of the digital certificate used for the signing and the cert has been revoked by Verisign.)  The driver creates a device named SA6482, in order to enable processes to communicate with it. The device receives process IDs (PIDs) meant to be protected – in this case, the crypto-miner PID.

The point of the Nonsh0u attack is not to hold you to ransom or steal your data but rather to steal your CPU cycles and mine crypto-currency.

How to protect your systems against crypto-miners:

• Monitor system utilisation and review high-CPU load and memory consumption – investigating any unexpected increases as part of normal service operations hygiene.

The Nansh0u campaign is notable as it contains a combination of highly sophisticated malware (such as you might expect to see deployed by a nation state actor) and more clumsy scripts containing typos.  You can imagine how this may have been cobbled together by a less sophisticated hacker who managed to gain access to the sophisticated tools.  This illustrates how the threat of cyber-attack is continuously increasing because the most powerful tools are trickling down the cyber food chain to less capable actors.

In a world where powerful tools are packaged up and come with video tutorials the barrier to entry for cyber-criminals is falling, and falling fast.

For more information on the Nansh0u attack, the GitHub repository containing the Indicators of Compromise and related data lives here.