Researchers have discovered a new malicious traffic manipulation and cryptocurrency mining campaign, dubbed as Operation Prowli, infecting number of industries from finance to education and government.
The Operation Prowli campaign has infected more than 40,000 machines by spreading malware and malicious code to servers and websites of nearly 9,000 companies around the world.
The campaign uses different techniques to widespread the malware, some of the methods are brute-forcing, exploits, and weak configurations. It targets CMS hosting servers, backup servers, HP Data Protector, DSL modems and IoT devices.
The GuardiCore Labs team found the first attack on 4 April, a group of secure-shell (SSH) attacks were discovered communicating with a command-and-control (C&C) server.
"The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner," GuardiCore wrote.
After investigating the attacks, the researchers found out that the campaign is active around the world across several networks and the campaign associated with different industries.
"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led us to investigate the attackers’ infrastructure and discover a wide-ranging operation attacking multiple services."
Here are the list of servers and devices have known to be infected by the Prowli group:
⦣ WordPress sites (via several exploits and admin panel brute-force attacks)
⦣ Joomla! sites running the K2 extension (via CVE-2018-7482)
⦣ Several models of DSL modems (via a well-known vulnerability)
⦣ Servers running HP Data Protector (via CVE-2014-2623)
⦣ Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)