Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Operation Prowli Infects 40,000 Systems for Cryptomining

GuardiCore researchers uncover a campaign that has comprised vulnerable servers at more than 9,000 companies worldwide for cryptojacking and traffic manipulation purposes.

A wide-ranging campaign that uses an array of attack techniques has infected more than 40,000 machines at 9,000 companies around the globe, and is targeting the systems to run traffic manipulation and cryptocurrency mining operations.

According to researchers from GuardiCore Labs, during the campaign, called Operation Prowli, attackers used such methods as brute forcing their way through passwords to spread a self-propagating worm for crytpomining, exploiting vulnerabilities in some systems and targeting servers with weak configurations. The campaign is focused on a number of different platforms, including CMS website-hosting servers, backup servers with HP Data Protector, Internet of things (IoT) devices and DSL modems, exploiting unsecured websites and servers.

GuardiCore analysts first caught wind of the campaign April 4, when their GuardiCore Global Sensor Network detected SSH attacks that were communicating with a control-and-command (C&C) server, they wrote in a blog post. These attacks all worked in the same manner and all communicated with the same C&C server. They downloaded attack tools called r2r2 as well as a cryptocurrency miner. Of particular interest was that the campaign ran across multiple networks in different countries and attacked different industries.

In addition, the hackers were using tools that were unfamiliar to both GuardiCore and other datasets, including VirusTotal, and the attackers "used binaries with the same domain name hardcoded in the code and each binary was designed to attack different services and CPU architectures," the researchers wrote. In tracking the campaign over three weeks, they saw attacks at a rate of dozens per day from more than 180 IPs from different countries and organizations.

"We found that the attackers store a large collection of victim machines with IPs and domains that expose different services to the Internet," they wrote. "These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside. … The attackers behind Operation Prowli assaulted organizations of all types and sizes which is in line with previous attacks we investigated. Operation Prowli has compromised a wide range of services, without targeting a specific sector."

They also used multiple avenues for monetizing the systems they compromised.

Not surprisingly, one way is through cryptomining, which has overtaken ransomware as the malware of choice for many hackers. Security firms ranging from Check Point and MalwareBytes to Fortinet have said the incidence of cryptomining malware -- where threat actors steal the CPU power from compromised PCs, mobile devices and servers to mine cryptocurrency -- has ramped up since the end of next year. (See Check Point: Cryptomining Malware Targeting Vulnerable Servers.)

Seeing Operation Prowli pursue cryptomining doesn't surprise Mike Banic, vice president at Vectra, which sells automated threat management solutions, who said compromised machines can be used for other attacks as well.

"Cryptomining has been on the increase since last August based on our research in the 'Attacker Behavior Industry Report'," Banic told Security Now in an email. "Cryptojacking is typically not a high priority for a security operation, because the attacker isn't trying to steal sensitive data. However, cryptojacked machines are at the greatest risk when the price of cryptocurrencies fall because the profitability drops and the botherder who pwns the machine may sell it to someone who wants to steal your sensitive data. This is why it imperative to have detection technology that can alert you to attacker behaviors on your internal network that enable the security team to respond fast as the attack pivots." (See Satori Botnet Plays Hidden Role in Cryptomining Scheme, Researchers Find.)

Dan Hubbard, chief security architect at cloud security solutions provider Lacework, told Security Now in an email:

We have seen a continued escalation and increase of cryptojacking attacks. While Operation Prowl is certainly an example, the attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types. Additionally, some of our honeypots in the public cloud that have been attacked with cryptojacking attacks are shortly followed up with ransomware attempts.

Operation Prowli attackers use r2r2 to take over computers and then use mining pools to launder the money they make, according to GuardiCore. Like other cryptomining threat actors, those with Prowli mine Monero, which is more focused on privacy and anonymity than other cryptocurrency such as Bitcoin.

The other monetization route is through traffic manipulation, which the GuardiCore analysts called "a dirty business." Traffic monetizers buy traffic from hackers like those from Prowli, and then redirect the traffic to domains. The website operators like Prowli make money through the traffic sent through the monetizers. In the case of Operation Prowli, the attackers are selling traffic by redirecting people from legitimate websites that have been compromised to malicious domains that are hosting such scams as fraudulent tech support, scam products and fake browser extensions.

They Prowli attackers also are leaving backdoors and collecting metadata on victims, which enables them to reuse the compromised servers for other purposes beyond cryptomining and traffic manipulation or to sell the data they’ve stored.

"The attacks are based on a mix of known vulnerabilities and credential guessing," the GuardiCore researchers wrote. "This means prevention should consist of using strong passwords and keeping software up to date. While 'patch your servers and use strong passwords' may sound trivial, we know that 'in real life' things are much more complicated. Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...