Hackers Infect 50,000 Servers With Sophisticated Crypto Mining Malware

Hackers have breached over 50,000 servers across the world to mine cryptocurrency using unusually sophisticated tools, according to a new report.

AccessTimeIconJun 3, 2019 at 3:00 p.m. UTC
Updated Sep 13, 2021 at 9:16 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Hackers have breached over 50,000 servers across the world to mine cryptocurrency using unusually sophisticated tools, according to a new report.

Cybersecurity firm Guardicore Labs said on May 29 that the large-scale malware effort – dubbed the “Nansh0u​ campaign" – has been ongoing since February, and had been spreading to over 700 new victims a day. The attack mostly targeted firms in the healthcare, telecoms, media and IT sectors.

Guardicore found 20 different malicious payloads in the malware over time, with new ones created “at least once a week” and put into use as soon as they were created. The package also installed a rootkit that prevented the malware’s removal.

The firm said it contacted the hosting provider of the attack servers and the issuer of the rootkit certificate.

“As a result, the attack servers were taken down and the certificate was revoked,” it said.

Notably, the cybersecurity firm said the attack used sophisticated tools like those used by nation states, a factor that indicates elite digital weaponry is becoming more readily accessible to cyber criminals.

The package was also written using Chinese language tools and placed on Chinese language servers, according to the firm.

Guardicore said:

“The Nansh0u campaign is not a typical crypto-miner attack. It uses techniques often seen in APTs [advanced persistent threats] such as fake certificates and privilege escalation exploits. While advanced attack tools have normally been the property of highly skilled adversaries, this campaign shows that these tools can now easily fall into the hands of less than top-notch attackers.”

The firm said the campaign demonstrates that strong credentials are vital in protecting companies' assets.

“This campaign demonstrates once again that common passwords still comprise the weakest link in today’s attack flows. Seeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions,” the report concluded.

Infected network image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.