Operation Prowli Infects 40,000 Systems for Cryptomining

A wide-ranging campaign that uses an array of attack techniques has infected more than 40,000 machines at 9,000 companies around the globe, and is targeting the systems to run traffic manipulation and cryptocurrency mining operations.

According to researchers from GuardiCore Labs, during the campaign, called Operation Prowli, attackers used such methods as brute forcing their way through passwords to spread a self-propagating worm for crytpomining, exploiting vulnerabilities in some systems and targeting servers with weak configurations. The campaign is focused on a number of different platforms, including CMS website-hosting servers, backup servers with HP Data Protector, Internet of things (IoT) devices and DSL modems, exploiting unsecured websites and servers.

GuardiCore analysts first caught wind of the campaign April 4, when their GuardiCore Global Sensor Network detected SSH attacks that were communicating with a control-and-command (C&C) server, they wrote in a blog post. These attacks all worked in the same manner and all communicated with the same C&C server. They downloaded attack tools called r2r2 as well as a cryptocurrency miner. Of particular interest was that the campaign ran across multiple networks in different countries and attacked different industries.

(Source: GuardiCore)

In addition, the hackers were using tools that were unfamiliar to both GuardiCore and other datasets, including VirusTotal, and the attackers "used binaries with the same domain name hardcoded in the code and each binary was designed to attack different services and CPU architectures," the researchers wrote. In tracking the campaign over three weeks, they saw attacks at a rate of dozens per day from more than 180 IPs from different countries and organizations.

"We found that the attackers store a large collection of victim machines with IPs and domains that expose different services to the Internet," they wrote. "These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside. … The attackers behind Operation Prowli assaulted organizations of all types and sizes which is in line with previous attacks we investigated. Operation Prowli has compromised a wide range of services, without targeting a specific sector."

They also used multiple avenues for monetizing the systems they compromised.

Not surprisingly, one way is through cryptomining, which has overtaken ransomware as the malware of choice for many hackers. Security firms ranging from Check Point and MalwareBytes to Fortinet have said the incidence of cryptomining malware -- where threat actors steal the CPU power from compromised PCs, mobile devices and servers to mine cryptocurrency -- has ramped up since the end of next year. (See Check Point: Cryptomining Malware Targeting Vulnerable Servers.)

Seeing Operation Prowli pursue cryptomining doesn't surprise Mike Banic, vice president at Vectra, which sells automated threat management solutions, who said compromised machines can be used for other attacks as well.

"Cryptomining has been on the increase since last August based on our research in the 'Attacker Behavior Industry Report'," Banic told Security Now in an email. "Cryptojacking is typically not a high priority for a security operation, because the attacker isn't trying to steal sensitive data. However, cryptojacked machines are at the greatest risk when the price of cryptocurrencies fall because the profitability drops and the botherder who pwns the machine may sell it to someone who wants to steal your sensitive data. This is why it imperative to have detection technology that can alert you to attacker behaviors on your internal network that enable the security team to respond fast as the attack pivots." (See Satori Botnet Plays Hidden Role in Cryptomining Scheme, Researchers Find.)

Dan Hubbard, chief security architect at cloud security solutions provider Lacework, told Security Now in an email:

"We have seen a continued escalation and increase of cryptojacking attacks. While Operation Prowl is certainly an example, the attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types. Additionally, some of our honeypots in the public cloud that have been attacked with cryptojacking attacks are shortly followed up with ransomware attempts."

Operation Prowli attackers use r2r2 to take over computers and then use mining pools to launder the money they make, according to GuardiCore. Like other cryptomining threat actors, those with Prowli mine Monero, which is more focused on privacy and anonymity than other cryptocurrency such as Bitcoin.

The other monetization route is through traffic manipulation, which the GuardiCore analysts called "a dirty business." Traffic monetizers buy traffic from hackers like those from Prowli, and then redirect the traffic to domains. The website operators like Prowli make money through the traffic sent through the monetizers. In the case of Operation Prowli, the attackers are selling traffic by redirecting people from legitimate websites that have been compromised to malicious domains that are hosting such scams as fraudulent tech support, scam products and fake browser extensions.

They Prowli attackers also are leaving backdoors and collecting metadata on victims, which enables them to reuse the compromised servers for other purposes beyond cryptomining and traffic manipulation or to sell the data they’ve stored.

"The attacks are based on a mix of known vulnerabilities and credential guessing," the GuardiCore researchers wrote. "This means prevention should consist of using strong passwords and keeping software up to date. While 'patch your servers and use strong passwords' may sound trivial, we know that 'in real life' things are much more complicated. Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.