Operation Prowli infects over 40000 servers, modems and IoT devices across industries worldwide

• More than 40,000 servers, modems, backup servers and IoT devices infected across the globe
• Attackers leveraging exploits, brute-force attacks and weak configurations to infect devices

Security researchers have uncovered a new traffic manipulation and cryptomining campaign that has already ensnared over 40,000 devices in 9000 organizations across industries including finance, education and government. Guardicore Labs researchers said the campaign, dubbed Operation Prowli, targets vulnerable platforms such as CMS servers, DSL modems, backup servers and IoT devices.

The botnet uses exploits, password brute-forcing attacks and weak configurations to infect and monetize victim machines. Compromised devices are then used to mine cryptocurrency, promote fake websites, malicious browser extensions, scam products and more.

In early April, researchers detected a group of SSH attacks communicating with a C&C server - all of which behaved the same way and downloaded multiple attack tools including the r2r2 worm and a Monero miner.

"We traced this campaign across several networks in different countries, associated with different industries," Guardicore researchers wrote in a blog post. "The attackers used binaries with the same domain name hardcoded in the code and each of the binaries was designed to attack different services and CPU architecture."

Over the course of three weeks, researchers detected dozens of such attacks from over 180 IPs across multiple countries and organizations every day.

The threat actors behind Prowli stored a collection of victim machines with IPs and domains that expose different services to the Internet. Some of the targeted services include Drupal CMS websites, Wordpress sites, DSL modems, vulnerable IoT devices, servers with an open SSH port and servers exposing HP Data Protector software among others.

The majority of compromised companies included consumer services, computer services, colleges and computer software.

What do they want?

According to Guardicore, the attackers appear to be more focus on making money, rather than espionage or a particular ideology.

Within this campaign, their sources of revenue include cryptocurrency mining and traffic monetization fraud. For the latter, Prowli redirects visitors from legitimate, compromised websites to malicious domains that host tech support scams, advertise fake browser extensions or scam products, and more.

The attackers were found using different payloads for each of their targets. For instance, the SSH brute force attack is used to gain complete control of the targeted system and mine cryptocurrency. Meanwhile, breached websites are used to run various types of Web fraud. Other compromised systems are used to execute more attacks.

What can you do to protect yourself?

"Simple but efficient attacks can get you very far in today’s internet and it’s not just unsecured IoT devices," researchers noted. "Large parts of the internet consist of unmaintained systems, unpatched and left with default credentials are targeted. While cryptocurrency mining and traffic manipulation are the main uses of the compromised machines we’ve seen, the attackers keep all their options open. By leaving backdoors and collecting victim metadata, the attackers can easily reuse the victims’ machines for other purposes or sell the data stored to other criminals."

Besides ensuring systems are patched and up to date, users have been advised to lock down systems, segment vulnerable or difficult to secure systems away from the rest of your network, and utilize stronger passwords. Strict hardening guides are also recommended to minimize risk of compromise and subsequent damage.