Original: https://blockexplorer.com/news/prowli-cryptojack-redirect-attack/
GuardiCore, a cloud-based security provider, has uncovered a large-scale attack on vulnerable servers. Codenamed Operation Prowli, the attack leverages various exploits to redirect web traffic, and to install cryptocurrency mining software on its targets.
Operation Prowli
Operation Prowli attacks targets with various exploits tailored to specific vulnerabilities. From SSH brute forcing to Mirai-like attacks on consumer modems. Post-infection actions taken include installing cryptocurrency miners and redirecting web traffic. Both post-infection actions performed by Operation Prowli are intended to provide a revenue stream back to those running the attack. At the time of writing, it was reported that over 40,000 computers have fallen victim.
A more in-depth look at the methodology and attacks used by Operation Prowli can be seen in GaurdiCore’s release.
Cryptojacking
Cryptojacking, or stealing computing power from others, allows those behind Operation Prowli to leverage many compromised computers to mine cryptocurrency. As in the last few reports on cryptojacking, the currency of choice for the attackers is Monero, undoubtedly chosen for its commitment to being minable on consumer CPUs and untraceable nature.
Traffic redirection
Once Operation Prowli has managed to gain access to a server, it will attempt to redirect web traffic towards malicious sites. An example used in GaurdiCore’s release is tech support scams.
Prevention and staying secure
For consumers, the best way to stay secure is to verify that the site you have visited is the one you intended. And otherwise to only follow links you trust.
Providers that are not already infected, ensuring your servers are secure can be done in various ways. With the simplest being to use strong passwords, and to only expose to the internet what you absolutely have to. For this reason, firewalls to close ports that do not need to be accessed externally are a must. Otherwise, ensuring that the software you use is up to date, and does not have any longstanding security issues will go a long way.
Otherwise, for providers that are already infected, changing all passwords and doing a security audit is a good first step. After which, stop all currently running malicious processes and remove their binaries (hashes provided below). Or in the case of the traffic redirection attack, check all relevant files for malicious lines.
Filename Hash (sourced from GaurdiCore’s release)
r2r2 128582a05985d80af0c0370df565aec52627ab70dad3672702ffe9bd872f65d8
r2r2-a 09fa626ac488bca48d94c9774d6ae37d9d1d52256c807b6341f0a08bdd722abf
r2r2-m 908a91a707a3a47f9d4514ecdb9e43de861ffa79c40202f0f72b4866fb6c23a6
r345 51f9b87efd00d3c12e4d73524e9626bfeed0f4948781a6f38a7301b102b8dbbd
r345-a cfb8f536c7019d4d04fb90b7dce8d7eefaa6a862a85c523d869912a1fbaf946a
r345-m 88d03f514b2c36e06fd3b7ed6e53c7525a8e8370c4df036b3b96a6da82c8b45b
xm111 b070d06a3615f3db67ad3beab43d6d21f3c88026aa2b4726a93df47145cd30ec
cl1 7e6cadbfad7147d78fae0716cadb9dcb1de7c4a392d8d72551c5301abe11f2b2
z.exe a0a52dc6cf98ad9c9cb244d810a22aa9f36710f21286b5b9a9162c850212b160
pro-wget a09248f3a4d7e58368a1847f235f0ceb52508f29067ad27a36a590dc13df4b42
pro-s2 3e5b3a11276e39821e166b5dbf6414003c1e2ecae3bdca61ab673f23db74734b