Targeted SSH servers are the subject of an ongoing, financially driven initiative that aims to sneakily entangle them into a proxy network.
According to a study released on Thursday by Akamai researcher Allen West, “this is an active campaign in which the attacker uses SSH for remote access, running malicious scripts that covertly enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain.”
Proxyjacking gives threat actors the opportunity to exploit the victim’s spare bandwidth to surreptitiously operate various services as a P2P node, in contrast to cryptojacking, in which a compromised system’s resources are used to illegally mine bitcoin.
This has two advantages: It not only allows the attacker to make money off the increased bandwidth with a far lower resource burden than would be required to carry out cryptojacking, but it also lessens the likelihood of being discovered.
“It is a stealthier alternative to cryptojacking and has serious implications that can increase the headaches that proxied Layer 7 attacks already serve,” added West.
Even worse, hostile actors may leverage proxyware services’ anonymity to hide the origin of their assaults by routing traffic through middle nodes, which is a double-edged sword that makes the situation worse.
Akamai, which found the most recent mission on June 8, 2023, said the movement is intended to penetrate defenseless SSH servers and send a muddled Slam script that, thusly, is prepared to bring important conditions from a compromised web server, including the twist order line instrument by disguising it as a CSS document (“csdark.css”).
Before launching Docker services that profitably share the victim’s bandwidth, the stealthy script actively searches for and kills competing instances running bandwidth-sharing services.
The fact that the web server is also being used to host a cryptocurrency miner after further investigation suggests that the threat actors are experimenting with both proxyjacking and cryptojacking attacks.
While proxyware isn’t intrinsically terrible, that’s what akamai noticed “a portion of these organizations don’t as expected check the obtaining of the IPs in the organization, and try and sometimes propose that individuals introduce the product on their work PCs.”
However, when applications are installed without the users’ knowledge or consent, they become cybercrime, allowing the threat actor to control multiple systems and generate unauthorized revenue.
According to West, “Old techniques remain effective, particularly when paired with new outcomes.” Strong passwords, patch management, and careful logging are still common security practices that work well to prevent problems.