Cybercriminals have launched a financially motivated campaign that targets vulnerable SSH servers, covertly turning them into proxies for their illicit activities.
According to a recent report by Akamai researcher Allen West, the attackers utilize SSH for remote access, executing malicious scripts that surreptitiously enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain.
Unlike cryptojacking, where compromised systems are used for unauthorized cryptocurrency mining, proxyjacking allows threat actors to exploit the victim's unused bandwidth to run various services as a P2P node.
This approach offers two advantages: it enables the attacker to monetize the surplus bandwidth with significantly reduced resource consumption compared to cryptojacking, and it decreases the likelihood of detection.
West stated, "It is a stealthier alternative to cryptojacking and has serious implications that can amplify the impact of proxied Layer 7 attacks."
The use of proxyware services adds another layer of anonymity, allowing malicious actors to obfuscate the origin of their attacks by routing traffic through intermediary nodes.
Akamai identified the ongoing proxyjacking campaign on June 8, 2023. The attackers breach vulnerable SSH servers and deploy an obfuscated Bash script that fetches necessary dependencies from a compromised web server, including camouflaging the curl command-line tool as a CSS file ("csdark.css").
The stealthy script actively terminates competing instances of bandwidth-sharing programs before launching Docker services that utilize the victim's bandwidth for profit.
Further investigation of the compromised web server revealed the presence of a cryptocurrency miner, indicating that the threat actors are involved in both cryptojacking and proxyjacking attacks.
While proxyware itself is not inherently malicious, Akamai warns that some companies fail to properly verify the sourcing of IPs in their networks, occasionally suggesting that users install the software on their work computers.
Such operations can cross into cybercrime territory when the applications are installed without user knowledge or consent, giving the threat actors control over multiple systems and generating illegitimate revenue.
"Old techniques remain effective, especially when paired with new outcomes," said West. "Implementing standard security practices such as strong passwords, patch management, and comprehensive logging remains crucial in preventing such attacks."
Comments