A lucrative campaign is actively targeting vulnerable SSH servers and secretly enclosing them in proxy networks.
“This is an active campaign in which attackers leverage SSH for remote access and run malicious scripts that covertly join victim servers to peer-to-peer (P2P) proxy networks such as Peer2Profit and Honeygain,” Akamai said. Researcher Allen West said. Said in Thursday’s report.
Unlike cryptojacking, which uses the resources of a compromised system to illegally mine cryptocurrency, proxyjacking allows a threat actor to leverage a victim’s unused bandwidth to operate various networks as P2P nodes. Provides the ability to run services covertly.
This has two advantages. Not only can attackers greatly reduce the resource load required to perform cryptojacking, monetizing additional bandwidth, but they are also less likely to be discovered.
“This is a more stealthy alternative to cryptojacking, with serious implications that can add to the headaches of proxying. Layer 7 attack I’m already working,” West said.
Worse, the anonymity provided by proxyware services can be a double-edged sword in that it can be exploited by malicious attackers by routing traffic through intermediate nodes. There is a nature.
Akamai, which discovered the latest campaign on June 8, 2023, said the activity was designed to compromise vulnerable information. SSH server Then deploy the obfuscated Bash script. This script has the ability to retrieve the required dependencies from the compromised web server, including the curl command line tool, by disguising it as a CSS file (“csdark.css”).
The stealth script also actively searches for and terminates competing instances running bandwidth sharing programs before launching Docker services that share the victim’s bandwidth for profit.
Further investigation of this web server revealed that it was also used to host cryptocurrency miners. This suggests that attackers are dabbling in both cryptojacking and proxyjacking attacks.
Proxyware isn’t inherently malicious, but “some of these companies don’t properly validate the sources of IPs in their networks, and in some cases, insist that they install software on their work computers.” I even recommend it to people,” Akamai pointed out.
However, once an application is installed without the user’s knowledge or consent, such operations can extend into the realm of cybercrime, allowing threat actors to control multiple systems and generate illicit revenue. becomes possible.
“Old methods are still effective, especially when combined with new results,” West said. “Standard security practices such as strong passwords, patch management, and thorough logging continue to serve as effective prevention mechanisms.”
