A
researcher at Akamai posted a blog about the new trend of proxy jacking, where
criminals sell users' bandwidth to third-party proxy services. Proxies and
stolen bandwidth have always been popular with cybercriminals, as it allows
them to anonymize their traffic. What is new now is the campaign of criminals
renting out Bandwidth from compromised systems to monetize it rather than just
using it. Active financially motivated campaigns target vulnerable SSH servers
to secretly ensnare them into proxy networks. Researchers became aware of this
campaign when they noticed an attacker making multiple SSH (Secure Shell)
connections to one of Cowrie's honeypots. Cowrie is a medium to high
interaction SSH and Telnet honeypot designed to log brute force attacks and shell
interactions made by attackers. It can be used to emulate a UNIX system in
Python, and serve as an SSH and telnet proxy to observe attacker behavior to
other systems.
In
contrast to cryptojacking, where compromised system resources are used to
illegally mine cryptocurrency, proxyjacking offers the ability for threat
actors to utilize the victim's unused bandwidth to covertly run different
services as a P2P node. This provides the advantage of not only allowing
attackers to monetize the extra bandwidth with a significantly reduced resource
load required to perform cryptojacking, but also reduces the likelihood of
being discovered.
In
June 2023, Akanamai discovered the latest campaign and said that this activity
was designed to break into vulnerable SSH servers and used a Bash script, also
equipped to fetch the necessary dependencies from compromised web servers,
including the curl command line tool by disguising it as a CSS file
("csdark.css"). The script then actively seeks out and terminates competing
instances running bandwidth-sharing programs, before launching a Docker service
that shares the victim's bandwidth for profit. For criminals, the beauty of
these attacks is that most of them are file-less and the files actually used,
namely curls and public Docker images for the Peer2Profit and Honeygain proxy
monetization services, are legitimate and will not be detected by anti-malware
solutions. Proxyjacking is much less likely to be detected than cryptojacking
as it only requires minimal CPU cycles and uses excess Internet bandwidth.
These
seemingly legitimate services can be used by criminals on both sides, either to
anonymize their activities or sell other people's resources, we'd rather see
them disappear altogether, but they should at least improve their customer and
participant verification. As for how home users can protect themselves from
proxyjacking, it is by keeping systems and software up to date and using
effective and secure password strategies. Akanamai also added that this
campaign we saw the use of SSH to gain access to servers and install Docker
containers, but previous campaigns also exploited web vulnerabilities. If you
check for running local Docker services and find unwanted resource sharing on
your system, you should investigate the intrusion, determine how the scripts
were uploaded and executed, and perform a thorough cleanup.
0 Comments