CyberWire Daily - Nansh0u not your normal cryptominer. [Research Saturday]
Episode Date: July 20, 2019Researchers at Guardicore Labs have been tracking an unusual cryptominer that seems to be based in China and is targeting Windows MS-SQL and phpMyAdmin servers. Some elements of the exploit make use ...of sophisticated components previously associated with nation-state actors. Ophir Harpaz and Daniel Goldberg are members of the Guardicore Labs team, and they join us to explain their findings. The research can be found here - https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
So I was looking through our global sensors network data and I was noticing some weird attack incidents originating in South Africa.
That's Ophir Harpaz. She's a security researcher at Guardacore Labs.
The research we're discussing today is titled The Nanshu Campaign.
Hackers' arsenal grows stronger.
Joining us in a few moments will be Daniel Goldberg, who collaborated with Ophir on the research.
I just decided to take a deeper look
into these attacks, which shared the same attack flow involving MSSQL scripts and some more of that.
And I saw outgoing connection to the attack server. When I tried to access this server,
it was completely open and all the files were accessible. And actually, this is what made me
keep digging into this because, you know, we actually had a very nice insight to all the files were accessible. And actually, this is what made me keep digging into this,
because, you know, we actually had a very nice insight to all the attacker's infrastructure.
So this was a nice base to start with.
And now at the point when you discovered this, did you have any sense for how
widespread their campaign was?
At this point, actually, no. Only when we saw very interesting log files on the attack server, we actually understood how big the extent of this campaign was. So we decided to call it Nanshu based on a text file we saw on the attack server, which had this string as an attacker name.
I see. So let's dig in here. So you have access to this server. Take us through what things did you discover there?
Once we looked inside, that's Daniel Goldberg.
Then we discovered that beyond the obvious part where we found multiple copies of malicious payloads, we found copies for different operating systems, different versions, bug fixes over time and so forth. We also discovered a copy of their attack infrastructure,
which meant folder structure describing their scanning for victim techniques, which was split
into port scanning, checking for vulnerabilities, brute forcing modules, and their attack scripts,
allowing us to build a complete flow chart of how the attacker goes from step A to step B and so forth until a final payload.
So they really left sort of out there in the open a blueprint for everything that they were up to.
Exactly.
Yeah. Well, let's dig into exactly what they were doing here then. Walk us through how does this work?
The interesting file that we saw on the server was named Turtle, and it was an archive.
When extracted, we saw all the different modules of the attackers. So as Daniel mentioned, we saw
a port scanning module, scanning for various IP ranges and looking for MSSQL servers on the
internet. And we also saw a brute force tool to, of course, try and figure out the passwords and
the usernames of the detected MSSQL servers. And once the attacker had these, of course, try and figure out the passwords and the usernames of the detected
MSSQL servers. And once the attacker had these, the credentials, they could execute MSSQL scripts
on the victim machines. Once they had this access, they dropped a payload and the crypto miner. And
as we wrote in our blog, also a rootkit protecting the miner process and the payload itself.
We saw all these on the attack server.
One second.
In addition here is they built themselves like it's pretty much built as Lego blocks
where each part was independent and streamed results to the next stage.
They had a list of IPs with MSSQL is passed on to the brute force, which outputs a list
of vulnerable servers.
Each one gets its own independent stage in this attack pipeline.
And the way we most see it as just a set of pipeline stages
is as part of the attack, if you attack an MSSQL server,
you end up with system-level permissions.
Despite that, the attackers still used a privileged escalation vulnerability
to verify, to make sure that in this flow or in every flow they attack,
they gain system-level permissions.
I'm intrigued that they were using something as basic as brute forcing it.
They're going through common password lists and just playing a numbers game here.
Yeah, just like that.
We actually saw the files with common usernames,
common passwords. We shared all of them in our Git repository of IOCs. Yeah, basically just
general brute force on the MS SQL servers. Now, it sounds simple, but our experience over the past
two, three years of looking at these types of attacks, is there a huge amount
of servers that are completely vulnerable to this simple brute forcing. And it's not just
no-name servers set up by some kid doing IT for his parents' business. This is large corporations
where they have one or two, and you only need one database that has been improperly set up.
This is not a problem limited to small businesses that
can't afford anything better. And so is this simply folks who are accidentally neglecting
to reset these credentials? Yes, we've also saw, but we don't have the full extent that the attacker
clearly also compromised vulnerable versions of phpMyAdmin, meaning that at the same time,
these could be administrators who are neglecting also to patch their servers. And there's probably
a strong overlap between people who don't patch their servers and people who use bad passwords.
But that's what we're seeing here. Well, tell me about the ultimate goal here. I mean,
they're looking to install a crypto miner. That's true. Actually,
the currency is named TurtleCoin. And this is the miner we saw. We noticed a couple of different
mining pools to which the miner connected. They ran the payload, which dropped the miner and the
rootkit protecting the miner. And yeah, we saw many, many versions of this payload malware around 20, actually.
A side fact of how he worked is that there's access. The attacker has lists of tens of
thousands of machines with database administrator credentials.
In terms of persistence, what were they doing to the systems there to make sure that these
miners kept running?
They did two important parts. The
first one is they generally made sure, using a variety of common registry methods, to make sure
their payload remains running upon restart. This is typical. The less typical part was they installed
a rootkit that would prevent antivirus and system administrators from killing the mining process and
the rest of the payloads.
They also did some privilege escalation. What were they taking advantage of there?
They were taking advantage of a patched vulnerability from 2014 in the Win32k driver.
This vulnerability allows you to execute a coded root kernel mode code. And what they did was use it to either change their access token to
allow them system level privileges or execute code under the system process, both of them
equivalent in power. Now, the actual sophistication of the crypto miner they were running, you know,
I've heard where there are, you know, some of these will intentionally limit the amount of
processor resources that they use to try not to draw attention to themselves.
Did you have any sense for what was going on when it comes to that?
So this crypto miner did not try to limit its CPU or memory usage.
However, it worked very hard to hide its tracks.
This was one of the first times we've seen crypto miners that are running deliberately
obfuscated code and their network traffic is tunneled through legitimate Windows applications.
So at the firewall level, like the host Windows firewall or the EDR level, then there's nothing
suspicious going on. All you have is a PowerShell communicating with the internet or some other like these split around different legitimate Windows binaries that have legitimate
purpose communicating with the network. Now, in terms of the overall sophistication of these
folks, what is your sense there? They have multiple levels. Some of the tools that they're using,
such as the exploits, are-class, done very well.
The rootkit driver is very well engineered
and was clearly written by somebody
who is incredibly thorough and patient
and knows the details of what he's doing.
And other parts of the engine structure
were done by someone that's less skilled than him.
I'm not sure exactly how to characterize him.
He made basic typos,
like for some part of his attack, he used the wrong IP address for his server.
He also had obviously operational security mistakes, like leaving the attack server open for us to go through.
So I would say that this is a mixed team.
Some of them have very strong technical capabilities.
And some of them, like whoever set up the server,
is not a high-end player, though he's still making good money. Let's be honest.
It's interesting because I wonder, does the sophistication of these tools necessarily
point to the sophistication of the attacker? Or could it just point to the availability
of these tools on the broader market?
This is actually a good point because some of the practices we saw led us to think that this
is just a common criminal, but the advanced tools that they were using pointed some access to very,
very technologically advanced tools. So we can't really attribute, but this looks like
common attackers with access to advanced rootkits and the privileged escalation exploit as well.
Do you know what the source is? Where these people seem to be coming from?
We don't have an attribution of the group name or level like the, I would fancy a name.
We can very confidently state that this is an operation run by people speaking Chinese because their exploit kit is taken from obscure
Chinese language forums. Their server infrastructure has strings in Chinese. They use specific programs
that are very common on the Chinese internet. Obviously, all of this can be used as to confuse
or obfuscate someone's intentions. But this is done deliberately
over months and over every part of the infrastructure shows either someone is very,
very methodical in setting up the scene or the simpler explanation. It's someone who speaks
Chinese at a high level. Yeah, I'd also like to mention that many of the internal tools they were
using that we saw on the attack servers were written in a designated Chinese
programming languages named EPL, Easy Programming Language. And this is a Chinese-based language. So
this is a very strong direction. So once these folks caught your eye and you were able to get
a better sense for the scale of what they were doing here, what did you discover there? How
successful have they been? Do you have any sense for how many systems they've infected? So regarding numbers, we actually
monitored the numbers of file downloads from the attack servers. And we saw that there were
tens of thousands of servers, infected servers that actually downloaded the payloads from the
attackers servers. So this is a good indicator for the extent of the campaign.
I think we saw between 500 and 1,000 new victims per day is a good estimate. We don't know how
many of them remained infected over time because crypto mining is, in the end, a very high noise
operation. But this does indicate tens of thousands of machines with weak credentials or old software
spread around accessible.
Do you have any view into a cryptocurrency wallet that they were mining for?
Any sense for their success when it comes to actually generating income?
So we don't have the right access to be able to tell you that because TurtleCoin in this
case is very similar to other privacy-oriented cryptocurrencies
where there is no public availability of wallet information.
Similar to Monero where you can see some of the transaction logs,
but you cannot know how much of the coin is kept in a specific address.
In terms of prevention and detection, what are your recommendations there?
Well, first of all, stronger credentials as a start having strong username and password would
prevent this attack from succeeding in infecting victim machine in the first
place following up to that because obviously it's 2019 and this is still
happening then people need to invest more in monitoring their systems for a breach.
In the end, as you mentioned before, there are crypto miners that work harder to hide their
tracks, but the majority of attackers are still very easy to detect. Suddenly your server is
spiked at 100% CPU and a lot of network traffic. This is something that you should be paying
attention to. And in the detection end, there is no reason that your database should have system level access from the internet.
At no point are you supposed to connect, oh, let's just connect from my home to the database
with system and level permissions and just do anything I want. And it's so trivial,
like just block your database from connecting to anywhere
except from your office. There, that's it. It's not foolproof, but it would stop the vast majority
of attacks. There are two interesting things that came up when we started researching the driver,
the rootkit there. The first one was the use of a code signing certificate issued to a made-up company, which we're used to in the wider cyber world to
seeing fake certificates being something used by nation states, used for important tasks,
and to sign important tool sets. And here is somebody using a shell company to sign a driver
that they're using a day-to-day criminal operation. This is a huge change in the
availability of this particular technique. We've moved generally, like we obviously see over the
last decade, more and more techniques moving from nation state to common criminals. So here's the
next step where even a malicious code signing is something completely standard, part of the trade.
The other thing is that, again, most of the binaries we saw were not known online. And this
complicates the detection life because most security vendors that look at binaries, I'm
talking about, let's say, antivirus companies or EDR companies, they look at endpoints. They look
at laptops, mobile devices, which have the highest attack surface.
But this means that malware that's targeting servers is still a very open field.
Even common attacks are not detected until they're widespread,
or in this case that we see them because we really focus only on server malware.
Our thanks to Ophir Harpaz and Daniel Goldberg from Guardicore for joining us.
The research is titled The Nanshu Campaign, Hackers' Arsenal Grows Stronger.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. And I'm Dave Bittner.
Thanks for listening.