Researchers have discovered a traffic manipulation and cryptocurrency mining campaign infecting organizations across industries from finance to education and government. The Operation Prowli campaign has been spreading malware and malicious code to servers and websites around the world, and more than 40,000 machines reportedly have been infected.
The GuardiCore Labs team found that by using exploits, password-brute-force and weak configurations attackers have had widespread success with the Prowli campaign. Targeting a variety of platforms from CMS servers hosting popular websites to backup servers running HP Data Protector and DSL modems, the multipurpose operation also goes after IoT devices.
Relying on digital currencies and traffic redirection, the campaign has already victimized more than 9,000 companies. Traffic monetization frauds are trending on the internet where attackers leverage tech support scams and promote fake websites to lure unsuspecting users away from their legitimate websites. They are then redirected to a fake site where they fall prey to clicking on malicious browser extensions.
First identified on 4 April, a group of secure-shell (SSH) attacks were discovered communicating with a command-and-control (C&C) server. "The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner," GuardiCore wrote.
The researchers were able to trace the campaign around the world across several networks and found the campaign associated with different industries. "Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led us to investigate the attackers’ infrastructure and discover a wide ranging operation attacking multiple services."
The financially motivated attackers appeared to be targeting indiscriminately and went after domains that exposed a wide range of services to the internet. “Prowli exploits known vulnerabilities across WordPress, Joomla!, SMB, and even some DSL modems, so automated patching, along with continuous assessment and remediation, is critical to avoid these types of attacks," said Brajesh Goyal, CP of engineering, Cavirin.
These types of crypto-jacking attacks are escalating, said Dan Hubbard, chief security architect at Lacework. "Attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types."
Examining network traffic will help users discover whether they've been infected. GuardiCore also advised that segmentation is a good practice, as is routinely reviewing who and what can access the servers. "Keep this list to a minimum and pay special attention to IoT devices whose credentials cannot be changed. Monitoring connections would easily show compromised devices communicating with cryptocurrency mining pools."