Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.

operation prowli

The campaign, dubbed Operation Prowli by the Guardicore Labs team, spreads malware and malicious code to servers, websites and devices after compromising them via exploits, password brute-forcing and by taking advantage of weak configurations.

Operation Prowli

Two specific things grabbed the researchers’ attention: the attackers using unfamiliar, Go-based malware, and using malicious binaries designed to attack different services and CPU architectures.

Machines running SSH are hacked by a self propagating worm spread by brute force credential guessing. Joomla! Servers running the K2 extension are attacked via a file download vulnerability (CVE-2018-7482), which allows the attackers to discover sensitive server configuration data (e.g., passwords and API keys).

Various DSL modems are hacked by accessing their internet facing configuration panel and passing in parameters exploiting a known RCE vulnerability previously used by Mirai. WordPress servers are compromised via password brute-forcing, vulnerability exploitation, or thanks to misconfiguration.

“Servers running HP Data Protector exposed to the internet (over port 5555) are exploited using a 4 year old vulnerability – CVE-2014-2623 – used to execute commands with system privileges,” the researchers explained.

“The attackers also target systems with Drupal, PhpMyAdmin installations, NFS boxes and servers with exposed SMB ports open to brute force credential guessing. An additional type of victims are compromised servers which host a well known open source webshell named ‘WSO Web Shell’. These php-based shells provide access and remote code execution on different compromised machines, frequently running vulnerable versions of WordPress.”

Where possible, the worm downloads a cryptominer. Compromised servers occasionally serve as C&C servers, or as staging points for future attacks. Breached websites are injected with JavaScript code that will redirect visitors to malicious websites.

Have your machines, servers and installations been compromised?

The researcher have made available indicators of compromise that should help you discover whether your machines, servers, sites or CMS installations have been compromised. These include hashes of malicious files, domains and IP addresses your compromised assets attempted to contact, and PHP and JS scripts injected in website code.

“Discovering if any of the computers in your network has visited an infected website can be done by examining network traffic,” the researchers advised.

“If you have an infected machine with r2r2, stopping the worm & miner processes (r2r2 and xm11) and deleting the files will suffice to clean up the attack. Don’t forget to change passwords after the cleanup.”

They also advise using strong passwords, regularly updating, patching and hardening of CMS installations, as well as segmenting networks.

“Segmentation is a good practice and since you can’t always prevent the breach, you should segment and monitor your network to minimise harm and avoid infamous breaches such as the fish tank breach,” they noted.

“Routinely review who and what can access the servers. Keep this list to a minimum and pay special attention to IoT devices whose credentials cannot be changed. Monitoring connections would easily show compromised devices communicating with cryptocurrency mining pools.”