Guardicore: The cybercrime group “Prowli” has been conducting a wide-ranging campaign to infect more than 40,000 machines at 9,000 companies globally
The cybercrime group “Prowli” has been conducting a wide-ranging campaign using an array of techniques to infect more than 40,000 machines at 9,000 companies globally. It has been discovered by cyber security specialists of Guardicore. The cyber criminals used various techniques like exploits and password brute-forcing to spread malware and take over devices, such as website content management systems (CMS), web servers, modems, and Internet-of-Things (IoT) devices. Once a device is compromised, a self-propagating worm is installed to exploit vulnerabilities and expands the botnet by identifying and spreading to new victims. The group have used multiple avenues to generate money from the compromised systems including installing cryptocurrency mining software, as well as redirecting people from legitimate compromised websites to malicious domains hosting scam websites (i.e. fraudulent tech support, scam products and fake browser extensions).
The malicious hackers are money-motivated. Cryptomining and traffic manipulation are the main uses of the compromised machines, but the cyber attackers keep all their options open
Prowli compromised a range of organisations of all types and sizes, without targeting a specific sector. The operation was designed and optimised to maximise profits for the money-motivated cyber criminals, Guardicore noted. This campaign comes in the wake of several other similar large botnets which are attacking networked devices. The cyber security experts in their conclusions explain that the cybercrime group to get Monero used a fully automated worm, and infected compromised websites to redirect their visitors to malicious domains. While cryptocurrency mining and traffic manipulation are the main uses of the compromised machines, the attackers keep all their options open. By leaving backdoors and collecting victim metadata, they can reuse the victims’ machines for other purposes or sell the data to other criminals.