Akamai first spotted the attacks on June 8 after multiple SSH connections were made to honeypots managed by the company's Security Intelligence Response Team (SIRT).
What is proxy jacking?
- Proxyjacking is a new phenomenon brought on by the growth and use of proxyware services in the last couple of years. A proxyware service is a totally legitimate and nonmalicious application or software that you can install on your internet-connected devices.
- When you run it, you share your internet bandwidth with others who pay to use your IP address. These services, such as IPRoyal, Honeygain, Peer2Profit, and others, pay for each IP address you share, based on the number of hours you run the application.
- These services have been used in adware attacks previously reported by Cisco Talos Intelligence Group and AhnLab Security Emergency response Center (ASEC). Proxyware services enable users to make money by sharing their internet connection with others.
- As Cisco Talos explained in their blog post, attackers are “leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.”
New proxy jacking attacks monetize hacked SSH servers’ bandwidth
"Attackers behind an ongoing series of proxyjacking attacks are hacking into vulnerable SSH servers exposed online to monetize them through proxyware services that pay for sharing unused Internet bandwidth.
Like cryptojacking, which allows attackers to use hacked systems to mine for cryptocurrency, proxyjacking is a low-effort and high-reward tactic of leeching compromised devices' resources.
Like cryptojacking, which allows attackers to use hacked systems to mine for cryptocurrency, proxyjacking is a low-effort and high-reward tactic of leeching compromised devices' resources.
- However, proxyjacking is harder to detect because it only leeches on hacked systems' unused bandwidth and doesn't impact their overall stability and usability.
"This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain," said Akamai security researcher Allen West.
"This allows for the attacker to monetize an unsuspecting victim's extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery."
While investigating this campaign, Akamai found a list containing the IP that started the investigation and at least 16,500 other proxies shared on an online forum.
Proxyware services and Docker containers
- Akamai first spotted the attacks on June 8 after multiple SSH connections were made to honeypots managed by the company's Security Intelligence Response Team (SIRT).
The script also sets up a container by downloading Peer2Profit or Honeygain Docker images and killing other rivals' bandwidth-sharing containers.
- Akamai also found cryptominers used in cryptojacking attacks, exploits, and hacking tools on the compromised server used to store the malicious script. This suggests the threat actors have either fully pivoted to proxyjacking or used it for an additional passive income.
"It is a stealthier alternative to cryptojacking and has serious implications that can increase the headaches that proxied Layer 7 attacks already serve."
This is just one of many similar campaigns that enroll systems they compromise into proxyware services like Honeygain, Nanowire, Peer2Profit, IPRoyal, and others, as Cisco Talos and Ahnlab previously reported.
- In April, Sysdig also spotted proxyjackers leveraging the Log4j vulnerability for initial access, allowing them to make profits of up to $1,000 for every 100 devices added to their proxyware botnet."
LATEST ARTICLES
The Week in Ransomware - June 30th 2023 - Mistaken Identity
A case of mistaken identity and further MOVEit Transfer data breaches continue dominated the ransomware news cycle this week.
- JUNE 30, 2023
- 05:33 PM
No comments:
Post a Comment