Akamai researcher Alan West said, “This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that expose the victim server to peer-to-peer (P2P) proxy networks such as Peer2Profit”, secretly enlists in Honeygan.” Thursday’s report.
Unlike cryptojacking, in which the resources of a compromised system are used to illegally mine cryptocurrencies, proxyjacking allows threat actors to use a victim’s unused bandwidth to secretly run various services as a P2P node. Provides the ability to take advantage of
This provides a twofold benefit: not only does it enable the attacker to monetize the additional bandwidth with a significantly reduced resource load that would be required to carry out cryptojacking, but it also reduces the likelihood of discovery.
“It’s a covert alternative to cryptojacking and has serious implications that could exacerbate the headaches that proxy Layer 7 attacks already present,” West said.
To make matters worse, the anonymity provided by proxyware services can be a double-edged sword, in that they can be misused by malicious actors to obscure the source of their attacks by routing traffic through intermediary nodes.
Akamai, which discovered the latest campaign on June 8, 2023, said the activity was designed to break into vulnerable SSH servers and deploy an obfuscated bash script that, in turn, created a compromised CURL command. Is equipped to get the required dependencies from the given web server, hiding the -line tool as a css file (“csdark.css”).
The secret script further actively searches for and eliminates competing instances running bandwidth-sharing services, before launching Docker services that share the victim’s bandwidth for profit.
Further investigation of the web server revealed that it was also being used to host a cryptocurrency miner, suggesting that the threat actors engaged in both cryptojacking and proxyjacking attacks.
While proxyware is not inherently nefarious, Akamai noted that “some of these companies do not properly verify the sourcing of IPs in the network, and sometimes even suggest that people install the software on their work computers. “
But such operations fall under the purview of cybercrime when applications are installed without users’ knowledge or consent, allowing the threat actor to control multiple systems and generate illegitimate revenue.
“Old techniques remain effective, especially when paired with new results,” West said. “Standard security practices remain an effective prevention mechanism, including strong passwords, patch management, and careful logging.”