Guardicore Labs security researchers published today a full report on the campaign of theft that attacks PHPMyAdmin and MSSQL servers over the globe.

Security researchers the Nansh0u, the malicious activity is reported by a Chinese group of APT-style attackers that has infected about 50,000 servers. Also, installing a kernel rootkit on affected systems.

An attacker can get access using the brute-force technique after finding publicly accessible MS-SQL and PHPMyAdmin Windows servers using a single-port scanner.

Easyhack providing you of Nansh0u Campaign IoCs published by Researcher Nansh0u.

  • The attacker’s TRTLCoin aallet address
  • a Powershell script made by Guardicore to detect residues of the Nansh0u campaign on a Windows machine
  • MD5 hashes of the payloads downloaded as part of the attacks
  • IP addresses of both attackers and connect-backs
  • Domains of mining pools connected-to by the miner malware
  • The lists of common usernames and passwords used to break into MSSQL servers
  • Names of files dropped as part of the attacks
  • Download

    Follow on Twitter, Instagram and Facebook

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here