Malware News Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Cyber-criminals have managed to assemble a gigantic botnet of over 40,000 infected web servers, modems, and other IoT devices, which they used for cryptocurrency mining, and for redirecting users to malicious sites.
Named Prowli and discovered by the GuardiCore security team, this botnet is a diverse operation that relies on vulnerabilities and credentials brute-force attacks to infect and take over devices.

How the Prowli group infects victims

The following types of servers and devices have known to be infected by the Prowli group in recent months:

⦣ WordPress sites (via several exploits and admin panel brute-force attacks)
⦣ Joomla! sites running the K2 extension (via CVE-2018-7482)
⦣ Several models of DSL modems (via a well-known vulnerability)
⦣ Servers running HP Data Protector (via CVE-2014-2623)
⦣ Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)

Furthermore, the Prowli group also operates an SSH scanner module that attempts to guess the username and password of devices that expose their SSH port on the Internet.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top