Researchers from GuardiCore Labs discovered a new campaign named Operation Prowli which has already infected 40,000 web server, modem and other Iot devices across the world.
The campaign was used for cryptocurrency mining and traffic manipulation by spreading malware to servers and websites.
Prowli campaign uses various attacking techniques such as exploits, password brute-forcing, and weak configurations.
The popular platforms targeted by the Prowli campaign is websites hosted in CMS servers, backup servers running in HP Data Protector, DSL modems and Iot devices.
The attackers behind Operation Prowli uses two methods to generate revenue. The first source of revenue is through cryptocurrency mining which they use the r2r2 worm to infect device and mine Monero.
The second source of revenue is through traffic monetization fraud. “Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” said in the report published by GuardiCore Labs Team.
According to GuardiCore Labs, the following are devices affected by the Prowli campaign
- Machines running SSH are hacked by a self propagating worm spread by brute force credential guessing, the victims download and run a cryptocurrency miner.
- Joomla! Servers running the K2 extension are attacked with file download vulnerability, using a URL such as http://.com/index.php?option=com_k2&view=media&task=connector&cmd=file&target=[base64 of file path]&download=1
- A variety of DSL modems are hacked by accessing their internet facing configuration panel using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability resides in the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
- WordPress servers are hacked by a variety of infectors – some attempt to brute force login into the WP administrative panel, others exploit old vulnerabilities in WordPress installations. A third type of attacks searches for servers with configuration problems, such as exposing FTP credentials when accessing http://.com/wp-config.php~.
- Servers running HP Data Protector exposed to the internet (over port 5555) are exploited using a 4 year old vulnerability – CVE-2014-2623 used to execute commands with system privileges.
- The systems with Drupal, PhpMyAdmin installations, NFS boxes and servers which have exposed SMB ports open to brute force credential guessing
The Operation Prowli are mostly based on known vulnerabilities and credential guessing so the users are advised to use a strong password and keep your servers and devices up to date.