Researchers at Guardicore Labs have dubbed this malware attack as Operation Prowli.
A new malicious campaign focused on monetizing rather than hacking has been discovered; according to researchers at Guardicore Labs, the malware campaign, dubbed Operation Prowli, has infected over 40,000 IoT devices and servers, forcing them to carry out profit-making tasks like crypto mining and traffic-hijacking. Its targets include IoT devices, DSL modems, backup servers running HP Data Protector, and WordPress sites.
“Victim machines are monetized using a variety of methods, relying on internet trends such as digital currencies and traffic redirection,” Gaurdicore Labs said in a post about the campaign. “Traffic monetization frauds are quite common and are based on redirecting website visitors from their legitimate destination to websites advertising malicious browser extensions, tech support scam services, fake services and more.”
The researchers reported they first discovered the campaign in April when they detected SSH attacks contacting a command and control server set up as a honeypot. They believe the campaign has been live since the beginning of the year and that the attacks share identical behavior, connecting to the same C&C server and downloading the same attack tools and a cryptocurrency miner. The attacks have been detected across several networks in multiple countries.
“Over a period of three weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations,” the researchers said. “These attacks led us to investigate the attackers’ infrastructure and discover a wide-ranging operation attacking multiple services.”
The attackers use a combination of credential guessing and taking advantage of known vulnerabilities. To protect against the attack, the researchers urge owners of IoT devices, modems and servers to keep their firmware or software up to date and to use strong passwords that are changed regularly.