Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Operation Prowli Hits 40K with Traffic Monetization, Cryptomining

The campaign targets services including Drupal CMS sites, DSL modems, vulnerable IoT devices, and servers with an open SSH port.

A new attack campaign dubbed Operation Prowli has so far hit 40,000 victim machines in 9,000 businesses across industries including finance, education, and government. Prowli is a global threat, spreading malware and malicious code to vulnerable servers and websites.

On April 4 Guardicore Labs researchers saw a group of SSH attacks communicating with a C&C server and downloading attack tools named r2r2and a cryptocurrency miner. They took a closer look upon seeing that the campaign used tools unfamiliar to their system, affected networks around the world, and used binaries designed to attack various services and CPU architectures.

Over three weeks of analysis they recorded dozens of attacks like this coming from more than 180 IPs and several countries and organizations. Prowli targets services including Drupal CMS websites, WordPress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port, and servers exposing HP Data Protector Software. All are vulnerable to remote pre-authentication attacks or enable hackers to brute-force their way in.

The goal driving Operation Prowli is, presumably, to hack into as many servers, IoT devices, and endpoints as possible and monetize them, and the threat actor(s) behind the campaign "have a variety of attack methods" to generate funds, says Ofri Ziv, head of Guardicore Labs.

Where the Money Flows

One of these is an SSH worm. Machines running SSH are hacked by a self-propagating worm spread via brute force credential guessing.  r2r2, the tool that sparked Guardicore's investigation, randomly generates IP blocks and tries to brute force SSH logins using a username/password dictionary. When it does, it runs several commands on the victim.

Prowli's operators mostly use their access to mine cryptocurrency on targets' machines, says Ziv. They prefer Monero, which provides greater anonymity than Bitcoin.

The second is traffic monetization fraud, which Ziv says is more unique. Traffic monetizers buy traffic from website operators, in this case the Prowli attackers, and they redirect traffic to different domains on demand. Site operators earn money based on traffic sent through monetizers to these domains, which range from fake services to malicious browser extensions.

"Basically, our attacker is redirecting traffic to a traffic monetizer, who in turn redirects people to various scam operators," Ziv explains. It's far more aggressive, and far more impactful, than taking up electrical power to mine cryptocurrency, adds Daniel Goldberg, Guardicore Labs security researcher.

The most vulnerable websites are the low-hanging fruit for cybercriminals, says Goldberg. "Our attacker focuses on CMS website systems that have easily wormable vulnerabilities," he explains. Wordpress servers, for example, are accessible with a variety of vectors. Some attackers try to brute force into the WP admin panel; others abuse old flaws in WP installations. Some look for servers with configuration problems.

Attackers also target systems running Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports exposed to brute force credential guessing, researchers say.

"What they have in mind is not security, they just want to have a server that will host their website," says Ziv of sites running exposed servers. "They're doing every mistake possible … [they're] using weak passwords, they don't configure the server properly, so sometimes the attacker is able to just get configuration of the server directly from the Internet."

Takeaways for the Enterprise

Goldberg points out that alongside financial gain, Prowli is also building a collection of databases that can be remotely hacked and saved for future access. With data on how to get back in, the operators can perform a range of attacks including ransomware and SMB exploits.

Given the attacks are based on a combination of known vulnerabilities and credential guessing, researchers report the best prevention is using strong passwords and updating software. It's admittedly trivial advice, they say, and more easily said than done. Alternative measures include locking down systems and segmenting vulnerable or hard-to-secure systems.

If routine patching or external hosting isn't feasible for CMS software, researchers say you should "assume at some point it will be hacked and follow strict hardening guides, which are provided by both Drupal and Wordpress."

"We see the way he tracks victims," Ziv says of the actor behind Prowli. The attacker is organized and can easily sell databases to anyone who will offer enough money, he adds. "This is the beginning of something that can grow … there will always be victims online."

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.