Mine Host

A couple of weeks ago we talked about a serious vulnerability (wormable, apparently) now called BlueKeep in the Microsoft RDP server, for which emergency patches were released.

As usual, our advice along with that of most sane security people, sysadmins and everyone in between was (and still is) to patch ASAP. It comes as no real surprise to us that this week there remains over 1 Meeelion servers facing the Internet with open arms on the standard RDP port that are still vulnerable to the bug. This is going to turn into a big problem for the afflicted sooner rather than later. Rising again may prove tricky.

There can only be three reasons that this is the case. Laziness, stupidity or perhaps not even knowing what you have out there.

Which brings us neatly onto this week’s SNAFU.

The wonderful boys and girls at Guardicore have published details of a ‘China based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide’. They have named the campaign Nansh0u, probably because of the pain the infected will be feeling.

To date, Guardicore are putting the number of infected servers at nearly 50,000. Once infected, it appears that the primary payload is a cryptominer, although rootkits and other associated nasties (20 in all) have been spotted out there in the Wild West that is Internet facing servers.

There are a number of interesting things about this campaign. Firstly it doesn’t look to be Nation State activity, but does use some of the techniques seen by that Nation State in particular, in various APT offensive operations.

Secondly it uses a very simple method to access the servers, first they do a port scan to find open MS-SQL and PHPMyAdmin servers, then guess what, they look for weak passwords using a table. Once logged in, they use standard (should be patched, tsk tsk) privilege escalation techniques. They use the Windows Kernel mode exploit CVE-2014-4113. They then drop the payload, one of 20 as discussed, some of which are very sophisticated and look like the work of a much more sophisticated outfit, something Government sponsored, so it would appear that it isn’t just the NSA whose exploits are out in the wild, which is both interesting and fairly scary.

Why would you have unpatched MS-SQL or PHPMyAdmin servers directly connected to the internet with weak passwords? If we run into one of the 50,000 sysadmins who have made this happen, we will let you know, although we suspect our old friends Laziness, Stupidity or perhaps not even knowing what you have out there.

If you, or possibly a friend of yours is in this position, we would urge you/them to have a look at the Indicators of Compromise, and run this Powershell script to see if you have been infected, both provided by the wonderful people at Guardicore, absolutely free of charge.

If you are not sure if you have these naughty servers on your estate, we recommend that you scan your perimeter using one of a number of tools, NMAP, Shodan and Qualys come to mind. This is probably A Very Good Idea anyway and something you should do regularly to see if one of your horse riding, cowboy hat wearing developers had stood up a ‘test server’, unpatched, connected to the Internet which will stay there for years and may also be connected to the inside.

As it happens, ITC Secure has been scanning people’s externals, and internals for that matter for donkey’s years. If you do not have the time or inclination to do this yourselves, please contact us at: [email protected] or call 020 7517 3900. Our team of eager, highly trained and experienced consultants would be very happy to help you out.