Threat actors have discovered a profitable new attack method that uses legal proxyware services, which let users resell some of their Internet bandwidth to outside parties. According to Sysdig Threat Research Team (TRT) researchers, cybercriminals can employ this “proxyjacking” attack vector in large-scale attacks that target cloud-based systems to potentially make hundreds of thousands of dollars per month in passive revenue.
Researchers from Kaspersky defined proxyware services in the following way in a blog post from February: “[Users install a client that creates a] proxy server. Installed on a desktop computer or smartphone, it makes the device’s Internet connection accessible to an outside party.” The proxyware service, an outside entity, resells a predetermined percentage of the user’s bandwidth to other persons. “Depending on how long the program remains enabled and how much bandwidth it is permitted to use, the client accumulates points [for the user] that can eventually be converted into currency and transferred to a bank account,” as per researchers at Kaspersky.
In one assault, the Sysdig researchers saw threat actors use the Log4j vulnerability to infiltrate a container in a cloud environment. After that, they installed a proxyware agent that transformed the system into a proxy server without the container owner’s knowledge. In an uncommon kind of Log4j hack, this enabled the attacker to “sell the IP to a proxyware service and collect the profit.” In most Log4j attacks, a backdoor or cryptojacking payload is dropped on the target device, Sysdig threat research engineer Crystal Morin wrote in the post. “While Log4j attacks are common, the payload used in this case was uncommon,” she wrote.
According to Morin, proxyjacking and cryptojacking make money off a victim’s bandwidth and are equally beneficial for the attacker. To extract the most value from stolen computers, attackers often install CPU-based miners, whereas proxyjacking mostly leverages network resources, leaving a small CPU footprint, she noted. She further wrote that CPU usage is typically one of the first (and, therefore, most significant) indicators in monitoring software. The impact of proxyjacking on the system is negligible; tens of gigabytes of network traffic per day for a month is highly unlikely to be observed.
Researchers reveal that proxyjacking is a relatively new phenomenon made more common by developing and using proxyware services in recent years. As previously indicated, these services, including IPRoyal, Honeygain, and Peer2Profit, are installed as applications or software on devices connected to the Internet. When used, they let users share Internet bandwidth by purchasing the right to use one other’s IP addresses. Proxyware is useful for people who want to use another person’s IP address for activities like watching a YouTube video unavailable in their area, engaging in unrestricted Web scraping and surfing, or visiting dubious websites without giving away their IP address. According to the service, users are charged based on the number of hours the program is used for each IP address that someone provides via proxyware.
Attackers downloaded a malicious script from a command-and-control server (C2), placed it in the /tmp folder, and then used that privilege to take control of a container in the environment in the attack examined by Sysdig researchers. The attackers targeted an unpatched Apache Solr service running in Kubernetes infrastructure. A proxyware service called Pawns.app has been observed exchanging IPs from the IPRoyal proxy network. According to researchers, Sysdig TRT could connect the malware downloaded and used by the malicious script to the command-line interface version of the IPRoyal Pawns program from GitHub, which employs identical parameters. Attackers allegedly started operating the hacked pod to profit from the service in this manner. Researchers noted that attackers concealed their activities by erasing their history, deleting the file they put in the containers, and deleting the temporary files from the compromised system.
Morin wrote although there are now just a few proxyware services that have been documented to be exploited for proxyjacking, Sysdig experts predict that this attack vector will expand and that, ultimately, defenders will uncover more nefarious activities. “This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications.” The research revealed that an attacker might make $9.60 monthly for 24 hours of activity on one proxyjacked IP address. A cybercriminal may make passive revenue of up to $1,000 per month from this behavior with a slight penetration of 100 IP addresses.
The researchers stated that since millions of servers are still running vulnerable versions of the logging tool and more than 23,000 can be contacted via the Internet, according to Censys, this number can increase when abusing Log4j on unpatched systems. Enterprises must take precautions against prospective assaults to avoid getting potentially surprising use bills due to proxyjacking activities. They advised businesses to set up billing thresholds and notifications with their different cloud service providers, which might be a warning sign when anything is wrong. To obtain warnings on any first access and payload activity before installing a proxyware service application on your network, Morin suggested enterprises set up threat-detection rules.
