Proxyjacking Campaign: Cybercriminals Targeting Vulnerable SSH Servers

 

A new financially motivated campaign has emerged, with cybercriminals actively hijacking vulnerable SSH servers to create a covert proxy network.

In this campaign, attackers exploit SSH for remote access, running malicious scripts that secretly enroll victim servers into a peer-to-peer (P2P) proxy network such as Peer2Profit or Honeygain, as reported by Akamai researcher Allen West.Unlike cryptojacking, where compromised systems are used for unauthorized cryptocurrency mining, proxyjacking allows threat actors to utilize the victim's unused bandwidth to operate various services as a P2P node.

This approach offers dual benefits: it enables the attacker to monetize the surplus bandwidth with significantly reduced resource usage compared to cryptojacking, while also minimizing the risk of detection. "It is a stealthier alternative to cryptojacking and poses serious implications that amplify the challenges of proxied Layer 7 attacks," explains West.

The use of proxyware services for anonymity can be a double-edged sword, as malicious actors can exploit them to obfuscate the origin of their attacks by routing traffic through intermediary nodes.  

Akamai, which discovered this campaign on June 8, 2023, reveals that the activity aims to breach vulnerable SSH servers and deploy an obfuscated Bash script. This script fetches necessary dependencies from a compromised web server, including the camouflaged curl command-line tool disguised as a CSS file ("csdark.css").

The stealthy script also actively terminates competing instances of bandwidth-sharing programs before launching Docker services that leverage the victim's bandwidth for financial gains.

Further investigation of the web server hosting the campaign uncovered the presence of a cryptocurrency miner, indicating that the threat actors are involved in both cryptojacking and proxyjacking attacks. While proxyware itself is not necessarily malicious, Akamai warns that "some of these companies fail to properly verify the sourcing of IPs in the network and occasionally encourage users to install the software on their work computers."

However, when installed without users' knowledge or consent, these operations can cross into the realm of cybercrime, allowing threat actors to control multiple systems and generate illicit revenue.

"Old techniques remain effective, especially when paired with new outcomes," notes West. "Implementing standard security practices, including strong passwords, patch management, and comprehensive logging, remains crucial for effective prevention."