Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

6/8/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Operation Prowli Infects 40,000 Systems for Cryptomining

GuardiCore researchers uncover a campaign that has comprised vulnerable servers at more than 9,000 companies worldwide for cryptojacking and traffic manipulation purposes.

A wide-ranging campaign that uses an array of attack techniques has infected more than 40,000 machines at 9,000 companies around the globe, and is targeting the systems to run traffic manipulation and cryptocurrency mining operations.

According to researchers from GuardiCore Labs, during the campaign, called Operation Prowli, attackers used such methods as brute forcing their way through passwords to spread a self-propagating worm for crytpomining, exploiting vulnerabilities in some systems and targeting servers with weak configurations. The campaign is focused on a number of different platforms, including CMS website-hosting servers, backup servers with HP Data Protector, Internet of things (IoT) devices and DSL modems, exploiting unsecured websites and servers.

GuardiCore analysts first caught wind of the campaign April 4, when their GuardiCore Global Sensor Network detected SSH attacks that were communicating with a control-and-command (C&C) server, they wrote in a blog post. These attacks all worked in the same manner and all communicated with the same C&C server. They downloaded attack tools called r2r2 as well as a cryptocurrency miner. Of particular interest was that the campaign ran across multiple networks in different countries and attacked different industries.

In addition, the hackers were using tools that were unfamiliar to both GuardiCore and other datasets, including VirusTotal, and the attackers "used binaries with the same domain name hardcoded in the code and each binary was designed to attack different services and CPU architectures," the researchers wrote. In tracking the campaign over three weeks, they saw attacks at a rate of dozens per day from more than 180 IPs from different countries and organizations.

"We found that the attackers store a large collection of victim machines with IPs and domains that expose different services to the Internet," they wrote. "These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside. … The attackers behind Operation Prowli assaulted organizations of all types and sizes which is in line with previous attacks we investigated. Operation Prowli has compromised a wide range of services, without targeting a specific sector."

They also used multiple avenues for monetizing the systems they compromised.

Not surprisingly, one way is through cryptomining, which has overtaken ransomware as the malware of choice for many hackers. Security firms ranging from Check Point and MalwareBytes to Fortinet have said the incidence of cryptomining malware -- where threat actors steal the CPU power from compromised PCs, mobile devices and servers to mine cryptocurrency -- has ramped up since the end of next year. (See Check Point: Cryptomining Malware Targeting Vulnerable Servers.)

Seeing Operation Prowli pursue cryptomining doesn't surprise Mike Banic, vice president at Vectra, which sells automated threat management solutions, who said compromised machines can be used for other attacks as well.

"Cryptomining has been on the increase since last August based on our research in the 'Attacker Behavior Industry Report'," Banic told Security Now in an email. "Cryptojacking is typically not a high priority for a security operation, because the attacker isn't trying to steal sensitive data. However, cryptojacked machines are at the greatest risk when the price of cryptocurrencies fall because the profitability drops and the botherder who pwns the machine may sell it to someone who wants to steal your sensitive data. This is why it imperative to have detection technology that can alert you to attacker behaviors on your internal network that enable the security team to respond fast as the attack pivots." (See Satori Botnet Plays Hidden Role in Cryptomining Scheme, Researchers Find.)

Dan Hubbard, chief security architect at cloud security solutions provider Lacework, told Security Now in an email:

We have seen a continued escalation and increase of cryptojacking attacks. While Operation Prowl is certainly an example, the attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types. Additionally, some of our honeypots in the public cloud that have been attacked with cryptojacking attacks are shortly followed up with ransomware attempts.

Operation Prowli attackers use r2r2 to take over computers and then use mining pools to launder the money they make, according to GuardiCore. Like other cryptomining threat actors, those with Prowli mine Monero, which is more focused on privacy and anonymity than other cryptocurrency such as Bitcoin.

The other monetization route is through traffic manipulation, which the GuardiCore analysts called "a dirty business." Traffic monetizers buy traffic from hackers like those from Prowli, and then redirect the traffic to domains. The website operators like Prowli make money through the traffic sent through the monetizers. In the case of Operation Prowli, the attackers are selling traffic by redirecting people from legitimate websites that have been compromised to malicious domains that are hosting such scams as fraudulent tech support, scam products and fake browser extensions.

They Prowli attackers also are leaving backdoors and collecting metadata on victims, which enables them to reuse the compromised servers for other purposes beyond cryptomining and traffic manipulation or to sell the data they’ve stored.

"The attacks are based on a mix of known vulnerabilities and credential guessing," the GuardiCore researchers wrote. "This means prevention should consist of using strong passwords and keeping software up to date. While 'patch your servers and use strong passwords' may sound trivial, we know that 'in real life' things are much more complicated. Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.