Research Saturday 7.20.19
Ep 94 | 7.20.19
Nansh0u not your normal cryptominer.

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary Zero Reveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Ophir Harpaz : [00:01:53] So, I was looking through our Global Sensors Network data, and I was noticing some weird attack incidents originating in South Africa.

Dave Bittner: [00:02:03] That's Ophir Harpaz. She's a security researcher at Guardicore Labs. The research we're discussing today is titled, "The Nansh0u Campaign: Hackers Arsenal Grows Stronger." Joining us in a few moments will be Daniel Goldberg who collaborated with a fear on the research.

Ophir Harpaz : [00:02:20] I just decided to take a deeper look into these attacks, which shared the same attack flow involving MS-SQL scripts and some more of that, and I saw outgoing connection to the attack server. When I tried to access the server, it was completely open and all the files were accessible, and actually this is what made me keep digging into this. Because, you know, we actually had a very nice insight to all the attackers' infrastructure. So this was a nice base to start with.

Dave Bittner: [00:02:50] Hmm. And now, at the point when you discovered, this did you have any sense for how widespread their campaign was?

Ophir Harpaz : [00:02:56] At this point, actually no. Only when we saw very interesting log files on the attack server, we actually understood how big the extent of this campaign was. So, we decided to call it "Nansh0u," based on a text file we saw on the attack server which had this string as an attacker name.

Dave Bittner: [00:03:15] I see. So, let's dig in here. So, you have access to this server. Take us through - what things did you discover there?

Daniel Goldberg: [00:03:23] Well, see, we looked inside...

Dave Bittner: [00:03:24] That's Daniel Goldberg.

Daniel Goldberg: [00:03:25] ...Then we discovered that, beyond the obvious hardware, we found multiple copies of malicious payloads, we found copies for different operating systems, different versions, bug fixes over time, and so forth. We also discovered a copy of their attack infrastructure, which meant folder structure describing their scanning for victims - techniques which was split into port scanning, checking for vulnerabilities, brute forcing modules, and attack scripts, allowing us to, like, build a complete flowchart of how the attacker goes from step A to step B, and so forth until a final payload.

Dave Bittner: [00:04:05] So, they really left, sort of out there in the open, a blueprint for everything that they were up to?

Ophir Harpaz : [00:04:09] Exactly.

Dave Bittner: [00:04:11] Yeah. Well, let's dig into exactly what they were doing here then. Walk us through - how does this work?

Ophir Harpaz : [00:04:18] The interesting file that we saw on the server was named "turtle," and it was an archive. When extracted, we saw all the different modules of the attackers. So, as Daniel mentioned, we saw a port scanning module scanning for various IP ranges and looking for MS-SQL servers on the Internet. And we also saw a brute force tool, to of course try and figure out the passwords and the usernames of the detected MS-SQL servers. And once the attacker had these credentials they could execute MS-SQL scripts on the victim machines. Once they had this access they dropped a payload and the cryptominer, and as we wrote in our blog, also a rootkit protecting the miner process and the payload itself. We saw all these on the attack server.

Daniel Goldberg: [00:05:01] One second, in addition here, is they built themselves, like, it's pretty much built as Lego blocks, where each part was independent and streamed results to the next stage. They had a list of IP with MS-SQL, is passed on to the brute force, which outputs the list of vulnerable servers. Each one gets its own independent stage in, like, this attack pipeline. And the way we most see it as just a set of pipeline stages is, as part of the attack, if you attack an MS-SQL Server, you end up with SYSTEM level permissions. Despite that, the attackers still used a privilege escalation vulnerability to verify, to make sure that in this flow, or in every flow of the attack, they gained SYSTEM level permissions.

Dave Bittner: [00:05:48] I'm intrigued that they were using something as basic as brute-forcing. They're going through common password lists and just playing a numbers game here.

Ophir Harpaz : [00:05:58] Yeah, just like that. We actually saw the files with common user names, common passwords - we shared all of them in our Git repository of IoCs. Yeah, basically just general brute-force on the MS-SQL servers.

Daniel Goldberg: [00:06:12] Now, it sounds simple, but our experience over the past two, three years of looking at these types of attacks, is there are a huge amount of servers that are completely vulnerable to this, to simple brute-forcing. And it's not just no-name servers set up by some kid doing IT for his parent's business. This is large corporations where they have one or two - and you only need one - database that has been improperly set up. This is not a problem limited to small businesses that can't afford anything better.

Dave Bittner: [00:06:45] And so, is this simply folks who are accidentally neglecting to reset these credentials?

Daniel Goldberg: [00:06:52] Yes. We also saw - but we don't have the full extent - that the attacker clearly also compromised vulnerable versions of phpMyAdmin, meaning that, at the same time, these could be administrators who are neglecting also to patch their servers. And there is probably a strong overlap between people who don't patch their servers and people who use bad passwords, but that's what we're seeing here.

Dave Bittner: [00:07:15] Well, tell me about the ultimate goal here. I mean, they're looking to install a cryptominer.

Ophir Harpaz : [00:07:21] That's true. Actually, the currency is named TurtleCoin, and this is the miner we saw. We noticed a couple of different mining pools to which the miner connected. They ran the payload which dropped the miner and the rootkit protecting the miner. And yeah, we saw many, many versions of this payload malware - around twenty, actually.

Daniel Goldberg: [00:07:42] A side effect of how he worked is that there's access - the attacker has lists of tens of thousands of machines with database administrator credentials.

Dave Bittner: [00:07:53] In terms of persistence, what were they doing to the systems there to make sure that these miners kept running?

Daniel Goldberg: [00:08:00] They did two important parts. The first one is they generally made sure using a variety of common registry methods to make sure their payload remains running upon restart. This is typical. The less typical part was they installed a rootkit that would prevent antivirus and system administrators from killing the mining process and the rest of the payloads.

Dave Bittner: [00:08:23] Hmm. They also did some privilege escalation. What were they taking advantage of there?

Daniel Goldberg: [00:08:27] They were taking advantage of patched vulnerability from 2014 in the Win32k driver. This vulnerability allows you to execute a coded root kernel-mode code. And what they did was use it to either change their access token to allow them SYSTEM level privileges, or execute code under the system process - both of them equivalent in power.

Dave Bittner: [00:08:52] Now, the actual sophistication of the cryptominer they were running, you know, I've heard where there are, you know, some of these will intentionally limit the amount of processor resources that they use to try not to draw attention to themselves. Did you have any sense for what was going on when it comes to that?

Daniel Goldberg: [00:09:08] So, this cryptominer did not try to limit its CPU or memory usage. However, it worked very hard to hide its tracks. This was one of the first times we've seen cryptominers that are running deliberately obfuscated code, and their network traffic is tunneled through legitimate Windows applications. So, at the firewall level, like, the host Windows firewall, or the EDR level, then there's nothing suspicious going on. All you have is a PowerShell communicating with the Internet, or some other like this split around different legitimate Windows binaries that have legitimate purpose communicating with the network.

Dave Bittner: [00:09:48] Now, in terms of the overall sophistication of these folks, what is your sense there?

Daniel Goldberg: [00:09:53] They have multiple levels. Some of the tools that they're using, such as the exploits, are world-class, done very well. The rootkit driver is very well-engineered and was clearly written by somebody who is incredibly thorough and patient and knows the details of what he's doing. And other parts of the infrastructure were done by someone that's less skilled than him - I'm not sure exactly how to characterize him. He made basic typos, like, for some parts of his attack, he used the wrong IP address for his server. He also had obviously operational security mistakes, like leaving the attack server open for us to go through. So, I would say that this is a mixed team. Some of them have very strong technical capabilities, and some of them, like whoever set up the server, is not a high-end player - though he's still making good money, let's be honest.

Dave Bittner: [00:10:47] (Laughs) It's interesting, because I wonder - does the sophistication of these tools necessarily point to the sophistication of the attacker, or could it just point to the availability of these tools on the broader market?

Ophir Harpaz : [00:11:03] This is actually a good point, because some of the practices we saw led us to think that this is just a common criminal, but the advanced tools that they were using point at some access to very, very technologically advanced tools. So, we can't really attribute, but this looks like common attackers with access to advanced rootkits and the privilege escalation exploit as well.

Dave Bittner: [00:11:25] Do you know what the source is - where these people seem to be coming from?

Daniel Goldberg: [00:11:28] We don't have an attribution of the group name or level, like, with a fancy name. We can very confidently state that this is an operation run by people speaking Chinese, because their exploit kit is taken from obscure Chinese language forums, their server infrastructure has strings in Chinese, they use specific programs that are very common on the Chinese Internet. Obviously, all of this can be used as to confuse or obfuscate someone's intentions, but this is done deliberately over months and over every part of the infrastructure, shows either someone is very, very methodical at setting up the scene, or the simpler explanation, it's someone who speaks Chinese at a high level.

Ophir Harpaz : [00:12:14] Yeah, I'd also like to mention that many of the internal tools they were using that we saw on the attack servers were written in a designated Chinese programming language named EPL - Easy Programming Language. And this is a Chinese-based language, so this is a very strong direction.

Dave Bittner: [00:12:32] So, once these folks caught your eye and you were able to get a better sense for the scale of what they were doing here, what did you discover there? How successful have they been? Do you have any sense for how many systems they've infected?

Ophir Harpaz : [00:12:45] So, regarding numbers, we actually monitored the numbers of file downloads from the attack servers, and we saw that there were tens of thousands of servers, infected servers that actually downloaded the payloads from the attackers' servers. So, this is a good indicator for the extent of the campaign.

Daniel Goldberg: [00:13:02] I think we saw between five hundred and a thousand new victims per day, is a good estimate. We don't know how many of them remained infected over time, because cryptomining is, in the end, a very high-noise operation. But this does indicate tens of thousands of machines with weak credentials or old software spread around, accessible.

Dave Bittner: [00:13:24] Do you have any view into a cryptocurrency wallet that they were mining for? Any sense for their success when it comes to actually generating income?

Daniel Goldberg: [00:13:32] So, we don't have the right access to be able to tell you that, because TurtleCoin in this case is very similar to other privacy-oriented cryptocurrencies, where there is no public availability of wallet information. Similar to Monero, where you can see some of the transaction logs, but you cannot know how much of the coin is kept in a specific address.

Dave Bittner: [00:13:56] In terms of prevention and detection, what are your recommendations there?

Ophir Harpaz : [00:14:01] Well, first of all, stronger credentials, as a start. Having strong usernames and passwords would prevent this attack from succeeding and infecting victim machines in the first place.

Daniel Goldberg: [00:14:13] Following up to that, because obviously it's 2019 and this is still happening, then people need to invest more in monitoring their systems for a breach. In the end, as you mentioned before, there are cryptominers that work harder to hide their tracks, but the majority of attackers are still very easy to detect. Suddenly your server is spiked at a hundred percent CPU and a lot of network traffic. This is something that you should be paying attention to.

Daniel Goldberg: [00:14:40] And in the detection end, there is no reason your database should have SYSTEM level access from the Internet. At no point are you supposed to connect, oh, let's just connect from my home to the database with SYSTEM level permissions and just do anything I want. And it's so trivial - like, just block your database from connecting to anywhere except from your office. There. That's it. It's not foolproof, but it would stop the vast majority of attacks.

Daniel Goldberg: [00:15:09] There are two interesting things that came up when we started researching the driver, the rootkit, there. The first one was the use of a code signing certificate issued to a made-up company, which - we're used to, in the wider cyber world, to seeing fake certificates being something used by nation states, used for important tasks and to sign important toolsets. And here is somebody using a shell company to sign a driver that they're using in a day-to-day criminal operation. This is a huge change in the availability of this particular technique. We've moved, generally, like, we obviously see over the last decade more and more techniques moving from nation-state to common criminals. So here is the next step, where even malicious code signing is something completely standard, part of the trade.

Daniel Goldberg: [00:16:02] The other thing is that, again, most of these - the binaries we saw - were not known online. And this complicates detection, because most security vendors that look at binaries - I'm talking about, let's say, antivirus companies or EDR companies - they look at endpoints. They look at laptops, mobile devices, which have the highest attack surface. But this means that the malware that's targeting servers is still a very open field. Even common attacks are not detected until they're widespread, or in this case, that we see them, because we really focus only on server malware.

Dave Bittner: [00:16:41] Our thanks to Ophir Harpaz and Daniel Goldberg from Guardicore for joining us. The research is titled "The Nansh0u Campaign: Hackers Arsenal Grows Stronger." We'll have a link in the show notes.

Dave Bittner: [00:16:52] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:17:03] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:17:11] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.