Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday May 30 2019, @10:29AM   Printer-friendly
from the Correct-Horse-Battery-Staple dept.

Researchers with Guardicore Labs, who disclosed the campaign Wednesday, said that the Nansh0u​ campaign (named due to a text file string in the attacker’s servers being called Nansh0u) is “not another run-of-the-mill mining attack.”

The cryptomining malware, which targets an open source cryptocurrency called TurtleCoin, is being spread via a sophisticated campaign relying on techniques often utilized by advanced persistent threat (APT) groups, such as using certificates and 20 different payload versions.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors,” researchers said in an analysis. “Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The campaign has been ongoing since February, researchers said. In April, researchers noticed three similar attacks – all had source IP addresses originating in South Africa, shared the same attack process and used the same breach method.

“Looking for more attacks with a similar pattern, we found attacks dating back to February 26, with over seven hundred new victims per day,” said researchers. “During our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time.”

The campaign was rapidly infecting servers – in fact, within the  timeframe of April 13 to May 13, researchers observed the number of infections double to 47,985.

Victims were mostly located in China, the U.S. and India – however, attackers also reached victims in up to 90 countries, Guardicore researchers told Threatpost.

[...] Researchers pointed to weak authentication username and passwords on Windows MS-SQL servers as a main reason behind the attack – and urged system administrators to consider strong credentials.

“This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows,” they said. “Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions.”


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by jasassin on Thursday May 30 2019, @10:40PM (2 children)

    by jasassin (3566) <jasassin@gmail.com> on Thursday May 30 2019, @10:40PM (#849461) Homepage Journal

    A five or ten second delay between failed logins is a good idea. Locking an account after five or ten failed logins would probably be better.

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday May 30 2019, @11:49PM

    by Anonymous Coward on Thursday May 30 2019, @11:49PM (#849502)

    For failed remote logins we use a cumulative minute per failed attempt, with the penalty cleared after a successful login.

  • (Score: 0) by Anonymous Coward on Saturday June 01 2019, @12:30AM

    by Anonymous Coward on Saturday June 01 2019, @12:30AM (#850020)

    if you're using username and password to login remotely you're incompetent as a remote admin and almost assuredly a windows user.