Around 50,000 servers worldwide are seemingly being infected with an advanced cryptojacking malware which mines the privacy-focused open-source cryptocurrency turtlecoin (TRTL). The latest news was disclosed in an analysis done by global hacker and cybersecurity expert group Guardicore Labs on May 29.
For all those people who don't know cryptojacking is basically an industry term for run by installing malware which uses a computer's processing power to mine for cryptocurrencies without the owner's approval.
Having first found the campaign in April and traced its origin and progress, Guardicore Labs ensures that the malware has been infected up to 50,000 Windows MS-SQL and PHPMyAdmin Servers in the last few months globally. All of these servers belong to companies in the Healthcare, Telecommunications, Media and IT Services.
The analysts also report the attacks to late February, mentioning that the campaign's precipitous expansion at a speed of over "seven hundred new victims per day." Between April 13 to May 13, the number of servers seemingly infected to hit 47,965.
The campaign is not a normal crypto-miner attack, as it depends on techniques commonly seen in advanced persistent threat groups, along with fake certificates and privilege escalation exploits. However, advanced attack tools have mainly been the property of highly skilled adversaries, this campaign proves that the tools can easily fall into the hands of less-than top-notch attacks.
The Campaign is being referred to as “Nansh0u,” just after the text file string was being used in the attacker's servers. It was believed that the malware was developed by Sinophone threat actors, because the tools in the malware were reportedly written in the Chinese-based programming language EPL. Also, various log files and binaries on the servers include Chinese strings. As analysis suggests:
"Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media, and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
Talking about the geographic spread, the majority of the targeted victims belong to China, the United States, and India, even though it was believed that the campaign has been spread across 90 countries. The accurate probability of the cryptojacking is more difficult to determine, the report states, as the funds mines are in privacy coin turtlecoin.
At the time of giving warning to the organizations, the researchers highlighted that "This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows."
By watching that tends and thousands of machines are being jeopardized just by a single brute-force attack, we highly suggest that the organizations should protect their assets with strong credentials and network segmentation solutions.