A new attack campaign dubbed Operation Prowli has so far hit 40,000 victim machines in 9,000 businesses across industries including finance, education, and government. Prowli is a global threat, spreading malware and malicious code to vulnerable servers and websites.
On April 4 Guardicore Labs researchers saw a group of SSH attacks communicating with a C&C server and downloading attack tools named r2r2and a cryptocurrency miner. They took a closer look upon seeing that the campaign used tools unfamiliar to their system, affected networks around the world, and used binaries designed to attack various services and CPU architectures.
Over three weeks of analysis they recorded dozens of attacks like this coming from more than 180 IPs and several countries and organizations. Prowli targets services including Drupal CMS websites, WordPress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port, and servers exposing HP Data Protector Software. All are vulnerable to remote pre-authentication attacks or enable hackers to brute-force their way in.
The goal driving Operation Prowli is, presumably, to hack into as many servers, IoT devices, and endpoints as possible and monetize them, and the threat actor(s) behind the campaign “have a variety of attack methods” to generate funds, says Ofri Ziv, head of Guardicore Labs.
Where the Money Flows
One of these is an SSH worm. Machines running SSH are hacked by a self-propagating worm spread via brute force credential guessing. r2r2, the tool that sparked Guardicore’s investigation, randomly generates IP blocks and tries to brute force SSH logins using a username/password dictionary. When it does, it runs several commands on the victim.
Prowli’s operators mostly use their access to mine cryptocurrency on targets’ machines, says Ziv. They prefer Monero, which provides greater anonymity than Bitcoin.
The second is traffic monetization fraud, which Ziv says is more unique. Traffic monetizers buy traffic from website operators, in this case the Prowli attackers, and they redirect traffic to different domains on demand. Site operators earn money based on traffic sent through monetizers to these domains, which range from fake services to malicious browser extensions.
“Basically, our attacker is redirecting traffic to a traffic monetizer, who in turn redirects people to various scam operators,” Ziv explains. It’s far more aggressive, and far more impactful, than taking up electrical power to mine cryptocurrency, adds Daniel Goldberg, Guardicore Labs security researcher.
The most vulnerable websites are the low-hanging fruit for cybercriminals, says Goldberg. “Our attacker focuses on CMS website systems that have easily wormable vulnerabilities,” he explains. WordPress servers, for example, are accessible with a variety of vectors. Some attackers try to brute force into the WP admin panel; others abuse old flaws in WP installations. Some look for servers with configuration problems.
Attackers also target systems running Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports exposed to brute force credential guessing, researchers say.
“What they have in mind is not security, they just want to have a server that will host their website,” says Ziv of sites running exposed servers. “They’re doing every mistake possible … [they’re] using weak passwords, they don’t configure the server properly, so sometimes the attacker is able to just get configuration of the server directly from the Internet.”
Takeaways for the Enterprise
Goldberg points out that alongside financial gain, Prowli is also building a collection of databases that can be remotely hacked and saved for future access. With data on how to get back in, the operators can perform a range of attacks including ransomware and SMB exploits.
Given the attacks are based on a combination of known vulnerabilities and credential guessing, researchers report the best prevention is using strong passwords and updating software. It’s admittedly trivial advice, they say, and more easily said than done. Alternative measures include locking down systems and segmenting vulnerable or hard-to-secure systems.
If routine patching or external hosting isn’t feasible for CMS software, researchers say you should “assume at some point it will be hacked and follow strict hardening guides, which are provided by both Drupal and WordPress.”
“We see the way he tracks victims,” Ziv says of the actor behind Prowli. The attacker is organized and can easily sell databases to anyone who will offer enough money, he adds. “This is the beginning of something that can grow … there will always be victims online.”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio