Threat Intelligence

6/6/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Operation Prowli Hits 40K with Traffic Monetization, Cryptomining

The campaign targets services including Drupal CMS sites, DSL modems, vulnerable IoT devices, and servers with an open SSH port.

A new attack campaign dubbed Operation Prowli has so far hit 40,000 victim machines in 9,000 businesses across industries including finance, education, and government. Prowli is a global threat, spreading malware and malicious code to vulnerable servers and websites.

On April 4 Guardicore Labs researchers saw a group of SSH attacks communicating with a C&C server and downloading attack tools named r2r2and a cryptocurrency miner. They took a closer look upon seeing that the campaign used tools unfamiliar to their system, affected networks around the world, and used binaries designed to attack various services and CPU architectures.

Over three weeks of analysis they recorded dozens of attacks like this coming from more than 180 IPs and several countries and organizations. Prowli targets services including Drupal CMS websites, WordPress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port, and servers exposing HP Data Protector Software. All are vulnerable to remote pre-authentication attacks or enable hackers to brute-force their way in.

The goal driving Operation Prowli is, presumably, to hack into as many servers, IoT devices, and endpoints as possible and monetize them, and the threat actor(s) behind the campaign "have a variety of attack methods" to generate funds, says Ofri Ziv, head of Guardicore Labs.

Where the Money Flows

One of these is an SSH worm. Machines running SSH are hacked by a self-propagating worm spread via brute force credential guessing.  r2r2, the tool that sparked Guardicore's investigation, randomly generates IP blocks and tries to brute force SSH logins using a username/password dictionary. When it does, it runs several commands on the victim.

Prowli's operators mostly use their access to mine cryptocurrency on targets' machines, says Ziv. They prefer Monero, which provides greater anonymity than Bitcoin.

The second is traffic monetization fraud, which Ziv says is more unique. Traffic monetizers buy traffic from website operators, in this case the Prowli attackers, and they redirect traffic to different domains on demand. Site operators earn money based on traffic sent through monetizers to these domains, which range from fake services to malicious browser extensions.

"Basically, our attacker is redirecting traffic to a traffic monetizer, who in turn redirects people to various scam operators," Ziv explains. It's far more aggressive, and far more impactful, than taking up electrical power to mine cryptocurrency, adds Daniel Goldberg, Guardicore Labs security researcher.

The most vulnerable websites are the low-hanging fruit for cybercriminals, says Goldberg. "Our attacker focuses on CMS website systems that have easily wormable vulnerabilities," he explains. Wordpress servers, for example, are accessible with a variety of vectors. Some attackers try to brute force into the WP admin panel; others abuse old flaws in WP installations. Some look for servers with configuration problems.

Attackers also target systems running Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports exposed to brute force credential guessing, researchers say.

"What they have in mind is not security, they just want to have a server that will host their website," says Ziv of sites running exposed servers. "They're doing every mistake possible … [they're] using weak passwords, they don't configure the server properly, so sometimes the attacker is able to just get configuration of the server directly from the Internet."

Takeaways for the Enterprise

Goldberg points out that alongside financial gain, Prowli is also building a collection of databases that can be remotely hacked and saved for future access. With data on how to get back in, the operators can perform a range of attacks including ransomware and SMB exploits.

Given the attacks are based on a combination of known vulnerabilities and credential guessing, researchers report the best prevention is using strong passwords and updating software. It's admittedly trivial advice, they say, and more easily said than done. Alternative measures include locking down systems and segmenting vulnerable or hard-to-secure systems.

If routine patching or external hosting isn't feasible for CMS software, researchers say you should "assume at some point it will be hacked and follow strict hardening guides, which are provided by both Drupal and Wordpress."

"We see the way he tracks victims," Ziv says of the actor behind Prowli. The attacker is organized and can easily sell databases to anyone who will offer enough money, he adds. "This is the beginning of something that can grow … there will always be victims online."

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.