Cyber-criminals have managed to assemble a gigantic botnet of over 40,000 infected web servers, modems, and other IoT devices, which they used for cryptocurrency mining, and for redirecting users to malicious sites.
Named Prowli and discovered by the GuardiCore security team, this botnet is a diverse operation that relies on vulnerabilities and credentials brute-force attacks to infect and take over devices.
How the Prowli group infects victims
The following types of servers and devices have known to be infected by the Prowli group in recent months:
⦣ WordPress sites (via several exploits and admin panel brute-force attacks)
⦣ Joomla! sites running the K2 extension (via
CVE-2018-7482)
⦣ Several models of DSL modems (via a
well-known vulnerability)
⦣ Servers running HP Data Protector (via
CVE-2014-2623)
⦣ Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)
Furthermore, the Prowli group also operates an SSH scanner module that attempts to guess the username and password of devices that expose their SSH port on the Internet.