Open-source Nezha tool harnessed in China-nexus hacking campaign

Intrusions weaponizing the open-source monitoring tool Nezha have been conducted by suspected Chinese threat actors to facilitate Gh0st RAT injections, The Hacker News reports. More than 100 machines, most of which are in Taiwan, Japan, South Korea, and Hong Kong, have been compromised as part of the campaign, a report from Huntress researchers showed. Initial access facilitated by an internet-exposed phpMyAdmin panel enabled attackers to access the server SQL query interface and execute multiple SQL commands, resulting in the deployment of the ANTSWORD web shell. Such a web shell then allowed the delivery of Nezha, which ensured Microsoft Defender exclusions before launching Gh0st RAT. "...[I]t's a stark reminder that while publicly available tooling can be used for legitimate purposes, it's also commonly abused by threat actors due to the low research cost, ability to provide plausible deniability compared to bespoke malware, and likelihood of being undetected by security products," said researchers.