50,000 Windows-based Web Servers Infected by Rootkit Malware
Strong passwords are a pain to come up with as well as maintain, but it has to be done; especially if you are running PHPMyAdmin that uses MS-SQL Server on a Windows web server. Many would say it’s not the best combination, that LAMP (Linux, Apache, MySQL, PHP) should be used instead, but to each his own.
There are plenty of websites that run on this combination worldwide and 50,000 of them have been infected by a rootkit malware intended to mine cryptocurrency. Fortunately for them, this does not leak their data, unless the Chinese hacking group responsible for these attacks does those on the side. At the very least, this hack will suck away precious CPU cycles and slow these web servers down.
The rootkit malware is dubbed Nansh0u and by nature is quite tough to remove and even detect. Being a rootkit, the process cannot be stopped without shutting the system down. It’s been hard at work cryptojacking web servers since February 26 to mine Turtlecoin. That’s a lot of free hardware right there though given the budget packages by various hosting providers, still not much.
The attack is done quite easily as well which begins by using a simple port scanner looking for publicly accessible Windows MS-SQL and PHPMyAdmin servers. Once the hackers gain a target, they attack with brute force which can easily break the simple passwords of negligent administrators. There’s still plenty out there. Once in, the attackers run a few MS-SQL commands to run a cryptocurrency malware with SYSTEM privileges.
“Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version… We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology.”
Let this be a lesson to all administrators that complex passwords are important.