Threat Intelligence

6/6/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Operation Prowli Hits 40K with Traffic Monetization, Cryptomining

The campaign targets services including Drupal CMS sites, DSL modems, vulnerable IoT devices, and servers with an open SSH port.

A new attack campaign dubbed Operation Prowli has so far hit 40,000 victim machines in 9,000 businesses across industries including finance, education, and government. Prowli is a global threat, spreading malware and malicious code to vulnerable servers and websites.

On April 4 Guardicore Labs researchers saw a group of SSH attacks communicating with a C&C server and downloading attack tools named r2r2and a cryptocurrency miner. They took a closer look upon seeing that the campaign used tools unfamiliar to their system, affected networks around the world, and used binaries designed to attack various services and CPU architectures.

Over three weeks of analysis they recorded dozens of attacks like this coming from more than 180 IPs and several countries and organizations. Prowli targets services including Drupal CMS websites, WordPress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port, and servers exposing HP Data Protector Software. All are vulnerable to remote pre-authentication attacks or enable hackers to brute-force their way in.

The goal driving Operation Prowli is, presumably, to hack into as many servers, IoT devices, and endpoints as possible and monetize them, and the threat actor(s) behind the campaign "have a variety of attack methods" to generate funds, says Ofri Ziv, head of Guardicore Labs.

Where the Money Flows

One of these is an SSH worm. Machines running SSH are hacked by a self-propagating worm spread via brute force credential guessing.  r2r2, the tool that sparked Guardicore's investigation, randomly generates IP blocks and tries to brute force SSH logins using a username/password dictionary. When it does, it runs several commands on the victim.

Prowli's operators mostly use their access to mine cryptocurrency on targets' machines, says Ziv. They prefer Monero, which provides greater anonymity than Bitcoin.

The second is traffic monetization fraud, which Ziv says is more unique. Traffic monetizers buy traffic from website operators, in this case the Prowli attackers, and they redirect traffic to different domains on demand. Site operators earn money based on traffic sent through monetizers to these domains, which range from fake services to malicious browser extensions.

"Basically, our attacker is redirecting traffic to a traffic monetizer, who in turn redirects people to various scam operators," Ziv explains. It's far more aggressive, and far more impactful, than taking up electrical power to mine cryptocurrency, adds Daniel Goldberg, Guardicore Labs security researcher.

The most vulnerable websites are the low-hanging fruit for cybercriminals, says Goldberg. "Our attacker focuses on CMS website systems that have easily wormable vulnerabilities," he explains. Wordpress servers, for example, are accessible with a variety of vectors. Some attackers try to brute force into the WP admin panel; others abuse old flaws in WP installations. Some look for servers with configuration problems.

Attackers also target systems running Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports exposed to brute force credential guessing, researchers say.

"What they have in mind is not security, they just want to have a server that will host their website," says Ziv of sites running exposed servers. "They're doing every mistake possible … [they're] using weak passwords, they don't configure the server properly, so sometimes the attacker is able to just get configuration of the server directly from the Internet."

Takeaways for the Enterprise

Goldberg points out that alongside financial gain, Prowli is also building a collection of databases that can be remotely hacked and saved for future access. With data on how to get back in, the operators can perform a range of attacks including ransomware and SMB exploits.

Given the attacks are based on a combination of known vulnerabilities and credential guessing, researchers report the best prevention is using strong passwords and updating software. It's admittedly trivial advice, they say, and more easily said than done. Alternative measures include locking down systems and segmenting vulnerable or hard-to-secure systems.

If routine patching or external hosting isn't feasible for CMS software, researchers say you should "assume at some point it will be hacked and follow strict hardening guides, which are provided by both Drupal and Wordpress."

"We see the way he tracks victims," Ziv says of the actor behind Prowli. The attacker is organized and can easily sell databases to anyone who will offer enough money, he adds. "This is the beginning of something that can grow … there will always be victims online."

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...