Researchers at Guardicore Labs have dubbed this malware attack as Operation Prowli.
Guardicore Labs researchers have discovered a new malicious campaign focused on monetizing rather than hacking has been discovered. The malware campaign, dubbed Operation Prowli, has infected over 40,000 IoT devices and servers.
It targets IoT devices, DSL modems, backup servers running HP Data Protector, and WordPress sites and forces them to conduct profit-making tasks like crypto mining and traffic-hijacking.
Cyber attackers guessed credentials and took advantage of known vulnerabilities. They used a variety of methods to monetize victims’ machines, employing digital currencies and traffic redirection.
Researchers say that these all too common traffic monetization frauds redirect website visitors from legitimate destinations to websites that advertise:
- Malicious browser extensions
- Tech support scam services
- Fake services
- Other phishing services
The researchers first discovered the campaign in April when they detected SSH attacks contacting a command and control server set up as a honeypot. They believe the campaign has been live since early 2018. The attacks apparently share identical behavior, connecting to the same C&C server and downloading the same attack tools and a cryptocurrency miner. They’ve detected attacks across several networks in multiple countries.
“Over a period of three weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations,” researchers say. “These attacks led us to investigate the attackers’ infrastructure and discover a wide-ranging operation attacking multiple services.”
Researchers urge IoT device owners and those who use modems and servers to keep their firmware or software up to date and use strong passwords that they changed regularly.