A fellow analyst believes that an attacker briefly authenticated to your company WiFi network and might have compromised some machines. Your colleague collected network traffic and ran two Splunk queries that might be helpful in your investigation. Attached are resources provided by the analyst for your evaluation.
ANSWER-8 Why should you fully re-install Windows on the victim machine? FIRST OF ALL ; What do you mean by victim computer? It is Malware that infects files and spreads when the file executes or is executed by another program. Like all hostile code t … View the full answer
On the 4th of April, the Guardicore Global Sensor Network (GGSN) reported a group of SSH attacks communicating with a C&C server. The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner.
We found that the attackers store a large collection of victim machines with IP addresses and domains that expose different services to the Internet. These services are all either vulnerable to remote pre-authentication attacks or allow the attackers to bruteforce their way inside.
The attackers behind Operation Prowli are focused on making money from their efforts rather than ideology or espionage. We currently understand two key flows of revenue in this operation.
Let’s take a closer look at the brute force SSH attack that tipped us off to this operation. The binary named r2r2 is written in Golang. A quick look showed that r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user/password dictionary.
The attackers’ attack tools report to a C&C server running under the domain name wp.startreceive [.]tk. This Joomla! server is a compromised server, which the attackers reuse to track their malware, collect information from the ever growing victims list and also serve different payloads to compromised machines.
The attackers behind Operation Prowli use different payloads for each of their targets. The SSH brute force attack provides the attackers with complete control of the system and are used to mine cryptocurrency, while breached websites are used to run different Web frauds.
The attacks are based on a mix of known vulnerabilities and credential guessing. This means prevention should consist of using strong passwords and keeping software up to date. While “patch your servers and use strong passwords” may sound trivial we know that “in real life” things are much more complicated.