Threat Intelligence

6/6/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Operation Prowli Hits 40K with Traffic Monetization, Cryptomining

The campaign targets services including Drupal CMS sites, DSL modems, vulnerable IoT devices, and servers with an open SSH port.

A new attack campaign dubbed Operation Prowli has so far hit 40,000 victim machines in 9,000 businesses across industries including finance, education, and government. Prowli is a global threat, spreading malware and malicious code to vulnerable servers and websites.

On April 4 Guardicore Labs researchers saw a group of SSH attacks communicating with a C&C server and downloading attack tools named r2r2and a cryptocurrency miner. They took a closer look upon seeing that the campaign used tools unfamiliar to their system, affected networks around the world, and used binaries designed to attack various services and CPU architectures.

Over three weeks of analysis they recorded dozens of attacks like this coming from more than 180 IPs and several countries and organizations. Prowli targets services including Drupal CMS websites, WordPress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port, and servers exposing HP Data Protector Software. All are vulnerable to remote pre-authentication attacks or enable hackers to brute-force their way in.

The goal driving Operation Prowli is, presumably, to hack into as many servers, IoT devices, and endpoints as possible and monetize them, and the threat actor(s) behind the campaign "have a variety of attack methods" to generate funds, says Ofri Ziv, head of Guardicore Labs.

Where the Money Flows

One of these is an SSH worm. Machines running SSH are hacked by a self-propagating worm spread via brute force credential guessing.  r2r2, the tool that sparked Guardicore's investigation, randomly generates IP blocks and tries to brute force SSH logins using a username/password dictionary. When it does, it runs several commands on the victim.

Prowli's operators mostly use their access to mine cryptocurrency on targets' machines, says Ziv. They prefer Monero, which provides greater anonymity than Bitcoin.

The second is traffic monetization fraud, which Ziv says is more unique. Traffic monetizers buy traffic from website operators, in this case the Prowli attackers, and they redirect traffic to different domains on demand. Site operators earn money based on traffic sent through monetizers to these domains, which range from fake services to malicious browser extensions.

"Basically, our attacker is redirecting traffic to a traffic monetizer, who in turn redirects people to various scam operators," Ziv explains. It's far more aggressive, and far more impactful, than taking up electrical power to mine cryptocurrency, adds Daniel Goldberg, Guardicore Labs security researcher.

The most vulnerable websites are the low-hanging fruit for cybercriminals, says Goldberg. "Our attacker focuses on CMS website systems that have easily wormable vulnerabilities," he explains. Wordpress servers, for example, are accessible with a variety of vectors. Some attackers try to brute force into the WP admin panel; others abuse old flaws in WP installations. Some look for servers with configuration problems.

Attackers also target systems running Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports exposed to brute force credential guessing, researchers say.

"What they have in mind is not security, they just want to have a server that will host their website," says Ziv of sites running exposed servers. "They're doing every mistake possible … [they're] using weak passwords, they don't configure the server properly, so sometimes the attacker is able to just get configuration of the server directly from the Internet."

Takeaways for the Enterprise

Goldberg points out that alongside financial gain, Prowli is also building a collection of databases that can be remotely hacked and saved for future access. With data on how to get back in, the operators can perform a range of attacks including ransomware and SMB exploits.

Given the attacks are based on a combination of known vulnerabilities and credential guessing, researchers report the best prevention is using strong passwords and updating software. It's admittedly trivial advice, they say, and more easily said than done. Alternative measures include locking down systems and segmenting vulnerable or hard-to-secure systems.

If routine patching or external hosting isn't feasible for CMS software, researchers say you should "assume at some point it will be hacked and follow strict hardening guides, which are provided by both Drupal and Wordpress."

"We see the way he tracks victims," Ziv says of the actor behind Prowli. The attacker is organized and can easily sell databases to anyone who will offer enough money, he adds. "This is the beginning of something that can grow … there will always be victims online."

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.