After the recent discovery of the VPNFilter malware botnet, researchers have revealed another significant threat in the cybersecurity landscape: Operation Prowli. This extensive operation has already compromised over 40,000 servers, modems, and other internet-connected devices from a diverse array of organizations worldwide.
Operation Prowli employs various attack techniques, including the exploitation of known vulnerabilities, brute-force password attacks, and the manipulation of weak configurations, allowing it to take control of servers and websites on a global scale. According to findings from the GuardiCore security team, this campaign has targeted more than 9,000 businesses across multiple sectors such as finance, education, and government.
The malware has notably infected a range of devices and services, including popular content management systems (CMS) like Drupal and WordPress, Joomla! servers with K2 extensions, HP Data Protector backup servers, DSL modems, and various vulnerable Internet-of-Things (IoT) devices. These infections are primarily attributed to either credential guessing or the exploitation of existing security vulnerabilities.
Researchers have determined that the attackers use the compromised devices to execute cryptocurrency mining scripts or redirect traffic to harmful websites. Their focus appears to be financial gain rather than ideological motives or espionage. The malware employs a Monero (XMR) cryptocurrency miner, alongside a Golang-based worm known as “r2r2,” which utilizes SSH brute-force attacks. This worm enables the attackers to extend their reach by compromising additional devices.
The r2r2 worm operates by generating random IP address blocks and systematically attempting to log into SSH services using a dictionary of usernames and passwords. Upon successful entry, it executes commands designed to download multiple versions of the worm tailored to various CPU architectures, a cryptocurrency miner, and configuration files from a remote server.
In addition to cryptomining, the attackers are leveraging a known open-source web shell, referred to as the “WSO Web Shell,” to modify compromised servers. This allows them to redirect visitors to counterfeit sites that distribute malicious browser extensions. The GuardiCore team monitored this campaign and documented numerous attacks, all originating from over 180 unique IP addresses representing a variety of countries and organizations.
To safeguard against such malware, organizations must prioritize regular system updates and patches while also employing strong, complex passwords. Segmenting vulnerable systems from the broader network can provide an additional layer of security. The recent resurgence of botnets, like VPNFilter—which has reportedly infected hundreds of thousands of routers and storage devices worldwide—serves as a stark reminder of the critical need for vigilance in cybersecurity practices.
In terms of the attack’s tactics, the MITRE ATT&CK framework identifies relevant adversary techniques, such as initial access through exploiting software vulnerabilities, persistence via web shells, privilege escalation through credential manipulation, and execution of unauthorized commands. By understanding these tactics, businesses can better prepare for and mitigate potential risks associated with similar malware operations.
