The Nanshou Campaign - Hackers' Arsenal Grows Stronger

Sept. 16, 2024, 10:58 a.m.

Description

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners and kernel rootkits. Notably, the attackers employed techniques typically associated with advanced persistent threats (APTs), such as fake certificates and privilege escalation exploits, suggesting broader access to sophisticated tools previously reserved for elite adversaries.

External References

https://otx.alienvault.com/pulse/66e807eab322b6b82acfb441
Tags
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner

Date

  • Created: Sept. 16, 2024, 10:26 a.m.
  • Published: Sept. 16, 2024, 10:26 a.m.
  • Modified: Sept. 16, 2024, 10:58 a.m.

Indicators

  • f94356753b59a40fceeb3911fe3be4ebb6bed4cdacdcb82ef2b14c03bae5d348
  • e9fb013985051e90d4333e0de0de467a12b47a0ac81ab7fdf42925b73185504f
  • e8be61336323c2efc612e101311913b945a5a3d2738df92c4a62726dce9eb705
  • d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
  • d612e3c11dd04fd5918d580842b48e774d1538e15535d0a5e1df01c63ae9a01f
  • b9b6d6877e11dc90c9d9ac76c8d70a878a65f2f894b4908010abf4e9b38940dc
  • b987dcc752d9ceb3b0e6cd4370c28567be44b789e8ed8a90c41aa439437321c5
  • 8d47b08504dcf694928e12a6aa372e7fa65d0d6744429e808ff8e225aefa5af2
  • 8e5c1840923633af4ded41952420cc9dcd75aa376abf38ec427173e25ea53648
  • 857dc66c7136c952848f12f7dbcc043aff0a1463ff1337a59429512480c2d4ae
  • 7044fc824ad8f6998bb8cdc1b390d6abf7c455939219570156504df4cf30a7e0
  • 61160793bb58203c29042d5348b6f96d3c4ceb79c2d0d82d7a022ed43a0dec34
  • 350381c64073da55023db2796de64da7e53997b4a0ef76587b9f65f151da9e39
  • 2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e
  • 285e3f21dd1721af2352196628bada81050e4829fb1bb3f8757a45c221737319
  • 15e5b1bfcd972f1d2e6c4298ed955603890d6c77f83c19591ef558a3e9606f35
  • 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
  • 0b60c0bd38043a4764fad55e39a28232762107f92f0aa6d595de2b28aaaff788
  • 02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e
  • 01c3882e8141a25abe37bb826ab115c52fd3d109c4a1b898c0c78cee8dac94b4
  • 114.115.164.211
  • 107.173.21.239
  • 111.67.206.87
  • 107.173.21.146
  • 119.131.209.186
  • 112.85.42.158
  • 102.165.51.80
  • 102.165.51.106
Download all indicators here!

Attack Patterns

  • Smominru
  • T1484
  • T1548
  • T1497
  • T1489
  • T1486
  • T1082
  • T1105
  • T1543
  • T1036
  • T1027
  • T1053
  • T1078
  • T1059
  • CVE-2014-4113

Additional Informations

  • Technology
  • Healthcare
  • Media
  • Telecommunications