Proxyjacking: The Latest Trend in Bandwidth Abuse and Security Threats


A researcher at Akamai posted a blog about the new trend of proxy jacking, where criminals sell users' bandwidth to third-party proxy services

A researcher at Akamai posted a blog about the new trend of proxy jacking, where criminals sell users' bandwidth to third-party proxy services. Proxies and stolen bandwidth have always been popular with cybercriminals, as it allows them to anonymize their traffic. What is new now is the campaign of criminals renting out Bandwidth from compromised systems to monetize it rather than just using it. Active financially motivated campaigns target vulnerable SSH servers to secretly ensnare them into proxy networks. Researchers became aware of this campaign when they noticed an attacker making multiple SSH (Secure Shell) connections to one of Cowrie's honeypots. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and shell interactions made by attackers. It can be used to emulate a UNIX system in Python, and serve as an SSH and telnet proxy to observe attacker behavior to other systems.

In contrast to cryptojacking, where compromised system resources are used to illegally mine cryptocurrency, proxyjacking offers the ability for threat actors to utilize the victim's unused bandwidth to covertly run different services as a P2P node. This provides the advantage of not only allowing attackers to monetize the extra bandwidth with a significantly reduced resource load required to perform cryptojacking, but also reduces the likelihood of being discovered.

In June 2023, Akanamai discovered the latest campaign and said that this activity was designed to break into vulnerable SSH servers and used a Bash script, also equipped to fetch the necessary dependencies from compromised web servers, including the curl command line tool by disguising it as a CSS file ("csdark.css"). The script then actively seeks out and terminates competing instances running bandwidth-sharing programs, before launching a Docker service that shares the victim's bandwidth for profit. For criminals, the beauty of these attacks is that most of them are file-less and the files actually used, namely curls and public Docker images for the Peer2Profit and Honeygain proxy monetization services, are legitimate and will not be detected by anti-malware solutions. Proxyjacking is much less likely to be detected than cryptojacking as it only requires minimal CPU cycles and uses excess Internet bandwidth.

These seemingly legitimate services can be used by criminals on both sides, either to anonymize their activities or sell other people's resources, we'd rather see them disappear altogether, but they should at least improve their customer and participant verification. As for how home users can protect themselves from proxyjacking, it is by keeping systems and software up to date and using effective and secure password strategies. Akanamai also added that this campaign we saw the use of SSH to gain access to servers and install Docker containers, but previous campaigns also exploited web vulnerabilities. If you check for running local Docker services and find unwanted resource sharing on your system, you should investigate the intrusion, determine how the scripts were uploaded and executed, and perform a thorough cleanup.