A lucrative campaign is actively targeting vulnerable SSH servers and secretly enclosing them in proxy networks.
“This is an active campaign in which attackers leverage SSH for remote access and run malicious scripts that covertly join victim servers to peer-to-peer (P2P) proxy networks such as Peer2Profit and Honeygain,” Akamai said. Researcher Allen West said. Thursday’s report.
Unlike cryptojacking, which uses the resources of a compromised system to illegally mine cryptocurrency, proxyjacking allows a threat actor to leverage a victim’s unused bandwidth to operate various networks as P2P nodes. Provides the ability to run services covertly.
This has two advantages. Not only can attackers greatly reduce the resource load required to perform cryptojacking, monetizing additional bandwidth, but they are also less likely to be discovered.
“This is a more stealthy alternative to cryptojacking and has serious implications that could add to the headaches layer 7 attacks with proxies have already caused,” West said. .
Worse, the anonymity provided by proxyware services can be a double-edged sword in that it can be exploited by malicious attackers by routing traffic through intermediate nodes. There is a nature.
Akamai, which discovered the latest campaign on June 8, 2023, said the campaign was designed to compromise vulnerable SSH servers and deploy obfuscated Bash scripts, resulting in compromised web sites. I mentioned that it has the ability to fetch the required dependencies (such as the curl command) from the server. Disguise the -line tool as a CSS file (“csdark.css”).
The stealth script also actively searches for and terminates competing instances running bandwidth sharing services before launching Docker services that share the victim’s bandwidth for profit.
Further investigation of this web server revealed that it was also used to host cryptocurrency miners. This suggests that attackers are dabbling in both cryptojacking and proxyjacking attacks.
Proxyware isn’t inherently malicious, but “some of these companies don’t properly validate the sources of IPs in their networks, and in some cases, insist that they install software on their work computers.” I even recommend it to people,” Akamai pointed out.
However, when an application is installed without the user’s knowledge or consent, such manipulation reaches the realm of cybercrime, allowing attackers to control multiple systems and generate illicit revenue. .
“Old methods are still effective, especially when combined with new results,” West said. “Standard security practices such as strong passwords, patch management, and thorough logging continue to serve as effective prevention mechanisms.”
