Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Operation Prowli Infects 40,000 Systems for Cryptomining

GuardiCore researchers uncover a campaign that has comprised vulnerable servers at more than 9,000 companies worldwide for cryptojacking and traffic manipulation purposes.

A wide-ranging campaign that uses an array of attack techniques has infected more than 40,000 machines at 9,000 companies around the globe, and is targeting the systems to run traffic manipulation and cryptocurrency mining operations.

According to researchers from GuardiCore Labs, during the campaign, called Operation Prowli, attackers used such methods as brute forcing their way through passwords to spread a self-propagating worm for crytpomining, exploiting vulnerabilities in some systems and targeting servers with weak configurations. The campaign is focused on a number of different platforms, including CMS website-hosting servers, backup servers with HP Data Protector, Internet of things (IoT) devices and DSL modems, exploiting unsecured websites and servers.

GuardiCore analysts first caught wind of the campaign April 4, when their GuardiCore Global Sensor Network detected SSH attacks that were communicating with a control-and-command (C&C) server, they wrote in a blog post. These attacks all worked in the same manner and all communicated with the same C&C server. They downloaded attack tools called r2r2 as well as a cryptocurrency miner. Of particular interest was that the campaign ran across multiple networks in different countries and attacked different industries.

(Source: GuardiCore)
(Source: GuardiCore)

In addition, the hackers were using tools that were unfamiliar to both GuardiCore and other datasets, including VirusTotal, and the attackers "used binaries with the same domain name hardcoded in the code and each binary was designed to attack different services and CPU architectures," the researchers wrote. In tracking the campaign over three weeks, they saw attacks at a rate of dozens per day from more than 180 IPs from different countries and organizations.

"We found that the attackers store a large collection of victim machines with IPs and domains that expose different services to the Internet," they wrote. "These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside. … The attackers behind Operation Prowli assaulted organizations of all types and sizes which is in line with previous attacks we investigated. Operation Prowli has compromised a wide range of services, without targeting a specific sector."

They also used multiple avenues for monetizing the systems they compromised.

Not surprisingly, one way is through cryptomining, which has overtaken ransomware as the malware of choice for many hackers. Security firms ranging from Check Point and MalwareBytes to Fortinet have said the incidence of cryptomining malware -- where threat actors steal the CPU power from compromised PCs, mobile devices and servers to mine cryptocurrency -- has ramped up since the end of next year. (See Check Point: Cryptomining Malware Targeting Vulnerable Servers.)

Seeing Operation Prowli pursue cryptomining doesn't surprise Mike Banic, vice president at Vectra, which sells automated threat management solutions, who said compromised machines can be used for other attacks as well.

"Cryptomining has been on the increase since last August based on our research in the 'Attacker Behavior Industry Report'," Banic told Security Now in an email. "Cryptojacking is typically not a high priority for a security operation, because the attacker isn't trying to steal sensitive data. However, cryptojacked machines are at the greatest risk when the price of cryptocurrencies fall because the profitability drops and the botherder who pwns the machine may sell it to someone who wants to steal your sensitive data. This is why it imperative to have detection technology that can alert you to attacker behaviors on your internal network that enable the security team to respond fast as the attack pivots." (See Satori Botnet Plays Hidden Role in Cryptomining Scheme, Researchers Find.)

Dan Hubbard, chief security architect at cloud security solutions provider Lacework, told Security Now in an email:

We have seen a continued escalation and increase of cryptojacking attacks. While Operation Prowl is certainly an example, the attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types. Additionally, some of our honeypots in the public cloud that have been attacked with cryptojacking attacks are shortly followed up with ransomware attempts.

Operation Prowli attackers use r2r2 to take over computers and then use mining pools to launder the money they make, according to GuardiCore. Like other cryptomining threat actors, those with Prowli mine Monero, which is more focused on privacy and anonymity than other cryptocurrency such as Bitcoin.

The other monetization route is through traffic manipulation, which the GuardiCore analysts called "a dirty business." Traffic monetizers buy traffic from hackers like those from Prowli, and then redirect the traffic to domains. The website operators like Prowli make money through the traffic sent through the monetizers. In the case of Operation Prowli, the attackers are selling traffic by redirecting people from legitimate websites that have been compromised to malicious domains that are hosting such scams as fraudulent tech support, scam products and fake browser extensions.

They Prowli attackers also are leaving backdoors and collecting metadata on victims, which enables them to reuse the compromised servers for other purposes beyond cryptomining and traffic manipulation or to sell the data they’ve stored.

"The attacks are based on a mix of known vulnerabilities and credential guessing," the GuardiCore researchers wrote. "This means prevention should consist of using strong passwords and keeping software up to date. While 'patch your servers and use strong passwords' may sound trivial, we know that 'in real life' things are much more complicated. Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...