The latest cryptojacking attack has seen 40,000 machines infected with a virus that uses the host OS to mine Monero. According to Guardicore, 9000 companies have been compromised by what has been called Operation Prowli using the r2r2 worm. The operation has been tied to the roi777 traffic monetization organization that has been active for quite some time.
The platforms stung by this malware are typical – CMS servers, DSL modems, and internet of things devices. These have previously been identified as vulnerable by IT experts and are frequently a focal point of attack. Operation Prowli also targeted backup servers running HP Data Protector. What is somewhat unique to this operation is that it used a variety of monetization methods, other than just cryptojacking. Traffic redirection was also used to direct users to illegitimate websites such as scam ICOs and sites with downloadable viruses.
Like previous attacks, all types of organizations were targeted as opposed to specific businesses or industries. There was no discrimination on size, location, or sector. Servers with an open SSH port were most frequently targeted (67%), along with SMB (9%), WordPress (8%), PHPMyAdmin (7%), and Drupal (3%). Again, college services were severely compromised in this attack (12%), indicating that universities will need to deploy more stringent security protocols. An area identified simply as computer services was the worst affected (25%).
A number of attack vectors were used in the operation. Old vulnerabilities continue to be exploited and remain a cause for concern. For example, the four-year-old vulnerability in servers running the HP Data Protector over port 5555. WordPress was attacked through brute force login to the administrative panel, old vulnerabilities in installations, and servers with configuration problems. Servers hosting WSO Web Shell were also targeted. These machines frequently run vulnerable versions of WordPress.
Cryptojacking continues to be more profitable for cybercriminals than Ransomware. Again, insecure machines have been stung to mine Monero, with a unique twist of traffic monetization in this particular campaign. Just last month, 500,000 computers were hijacked to mine Monero through the WinstarNssmMiner. The trend is ominous. There are significant proportions of the internet with known vulnerabilities which continue to be exploited. Cyber attacks are growing, and hackers are getting more inventive. In this case, backdoors have been left open, and the attackers can easily reuse the victims’ machine.