The Nanshou Campaign - Hackers' Arsenal Grows Stronger

Sept. 16, 2024, 10:58 a.m.

Tags
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner
External References
Description

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners and kernel rootkits. Notably, the attackers employed techniques typically associated with advanced persistent threats (APTs), such as fake certificates and privilege escalation exploits, suggesting broader access to sophisticated tools previously reserved for elite adversaries.

Date

Published: Sept. 16, 2024, 10:26 a.m.

Created: Sept. 16, 2024, 10:26 a.m.

Modified: Sept. 16, 2024, 10:58 a.m.

Indicators

f94356753b59a40fceeb3911fe3be4ebb6bed4cdacdcb82ef2b14c03bae5d348

e9fb013985051e90d4333e0de0de467a12b47a0ac81ab7fdf42925b73185504f

e8be61336323c2efc612e101311913b945a5a3d2738df92c4a62726dce9eb705

d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

d612e3c11dd04fd5918d580842b48e774d1538e15535d0a5e1df01c63ae9a01f

b9b6d6877e11dc90c9d9ac76c8d70a878a65f2f894b4908010abf4e9b38940dc

b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5

8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2

8e5c1840923633af4ded41952420cc9dcd75aa376abf38ec427173e25ea53648

857dc66c7136c952848f12f7dbcc043aff0a1463ff1337a59429512480c2d4ae

7044fc824ad8f6998bb8cdc1b390d6abf7c455939219570156504df4cf30a7e0

61160793bb58203c29042d5348b6f96d3c4ceb79c2d0d82d7a022ed43a0dec34

350381c64073da55023db2796de64da7e53997b4a0ef76587b9f65f151da9e39

2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e

285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319

15e5b1bfcd972f1d2e6c4298ed955603890d6c77f83c19591ef558a3e9606f35

0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

0b60c0bd38043a4764fad55e39a28232762107f92f0aa6d595de2b28aaaff788

02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e

01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4

114.115.164.211

107.173.21.239

111.67.206.87

107.173.21.146

119.131.209.186

112.85.42.158

102.165.51.80

102.165.51.106

Download all indicators here!

Attack Patterns

Smominru

T1484

T1548

T1497

T1489

T1486

T1082

T1105

T1543

T1036

T1027

T1053

T1078

T1059

CVE-2014-4113

Additional Informations

Technology

Healthcare

Media

Telecommunications