GuardiCore, a cloud-based security provider, has uncovered a large-scale attack on vulnerable servers. Codenamed Operation Prowli, the attack leverages various exploits to redirect web traffic, and to install cryptocurrency mining software on its targets.
Operation Prowli attacks targets with various exploits tailored to specific vulnerabilities. From SSH brute forcing to Mirai-like attacks on consumer modems. Post-infection actions taken include installing cryptocurrency miners and redirecting web traffic. Both post-infection actions performed by Operation Prowli are intended to provide a revenue stream back to those running the attack. At the time of writing, it was reported that over 40,000 computers have fallen victim.
A more in-depth look at the methodology and attacks used by Operation Prowli can be seen in GaurdiCore’s release.
Cryptojacking, or stealing computing power from others, allows those behind Operation Prowli to leverage many compromised computers to mine cryptocurrency. As in the last few reports on cryptojacking, the currency of choice for the attackers is Monero, undoubtedly chosen for its commitment to being minable on consumer CPUs and untraceable nature.
Once Operation Prowli has managed to gain access to a server, it will attempt to redirect web traffic towards malicious sites. An example used in GaurdiCore’s release is tech support scams.
Prevention and staying secure
For consumers, the best way to stay secure is to verify that the site you have visited is the one you intended. And otherwise to only follow links you trust.
Providers that are not already infected, ensuring your servers are secure can be done in various ways. With the simplest being to use strong passwords, and to only expose to the internet what you absolutely have to. For this reason, firewalls to close ports that do not need to be accessed externally are a must. Otherwise, ensuring that the software you use is up to date, and does not have any longstanding security issues will go a long way.
Otherwise, for providers that are already infected, changing all passwords and doing a security audit is a good first step. After which, stop all currently running malicious processes and remove their binaries (hashes provided below). Or in the case of the traffic redirection attack, check all relevant files for malicious lines.
|Filename||Hash (sourced from GaurdiCore’s release)|