Attackers behind an ongoing series of proxyjacking attacks are hacking into vulnerable SSH servers exposed online to monetize them through proxyware services that pay for sharing unused Internet bandwidth.
Like cryptojacking, which allows attackers to use hacked systems to mine for cryptocurrency, proxyjacking is a low-effort and high-reward tactic of leeching compromised devices’ resources.
However, proxyjacking is harder to detect because it only leeches on hacked systems’ unused bandwidth and doesn’t impact their overall stability and usability.
While threat actors can also use hacked devices to set up proxies that can help them hide their traces and obfuscate malicious activity, the cybercriminals behind this campaign were only interested in monetization through commercial proxyware services.
“This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain,” said Akamai security researcher Allen West.
“This allows for the attacker to monetize an unsuspecting victim’s extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery.”
While investigating this campaign, Akamai found a list containing the IP that started the investigation and at least 16,500 other proxies shared on an online forum.
Proxyware services and Docker containers
Akamai first spotted the attacks on June 8 after multiple SSH connections were made to honeypots managed by the company’s Security Intelligence Response Team (SIRT).
Once connected to one of the vulnerable SSH servers, the attackers deployed a Base64–encoded Bash script that added the hacked systems to Honeygain’s or Peer2Profit’s proxy networks.
The script also sets up a container by downloading Peer2Profit or Honeygain Docker images and killing other rivals’ bandwidth-sharing containers.
Akamai also found cryptominers used in cryptojacking attacks, exploits, and hacking tools on the compromised server used to store the malicious script. This suggests the threat actors have either fully pivoted to proxyjacking or used it for an additional passive income.
“Proxyjacking has become the newest way for cybercriminals to make money from compromised devices in both a corporate ecosystem as well as the consumer ecosystem,” West said.
“It is a stealthier alternative to cryptojacking and has serious implications that can increase the headaches that proxied Layer 7 attacks already serve.”
This is just one of many similar campaigns that enroll systems they compromise into proxyware services like Honeygain, Nanowire, Peer2Profit, IPRoyal, and others, as Cisco Talos and Ahnlab previously reported.
In April, Sysdig also spotted proxyjackers leveraging the Log4j vulnerability for initial access, allowing them to make profits of up to $1,000 for every 100 devices added to their proxyware botnet.
Source: www.bleepingcomputer.com