Cyber Security Threat Summary:
“An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. ‘This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain,’ Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node. This offers two-fold benefits: It not only enables the attacker to monetize the extra bandwidth with a significantly reduced resource load that would be necessary to carry out cryptojacking, it also reduces the chances of discovery. To make matters worse, the anonymity provided by proxyware services can be a double-edged sword in that they could be abused by malicious actors to obfuscate the source of their attacks by routing traffic through intermediary nodes” (The Hacker News, 2023).

Security Officer Comments:
The latest campaign was uncovered by researchers at Akamai on June 8, 2023. According to the firm, the actors have been breaching susceptible SSH servers to deploy an obfuscated Bash script which is designed to fetch the necessary dependencies from a compromised web server, including a curl command-line tool by masquerading it as a CSS file. “The stealthy script further actively searches for and terminates competing instances running bandwidth-sharing services, before launching Docker services that share the victim's bandwidth for profits” (The Hacker News, 2023).

Taking a closer examination of the server that was used to retrieve the curl command, researchers noted that it was used to host a cryptocurrency miner, suggesting that the actors are also interested in performing cryptojacking attacks in addition to proxyjacking.

Suggested Correction(s):
(Akamai) Less CPU usage means that there is an even higher emphasis on IDS/IPS solutions to mitigate proxyjacking from a corporate perspective. The everyday user should implement strong security fundamentals, such as using complicated passwords and storing them in a password manager, applying patches to applications, and enabling multi-factor authentication (MFA) whenever possible. Users with deeper knowledge of computer security can additionally remain vigilant by paying attention to the containers currently running, monitoring network traffic for anomalies, and even running vulnerability scans on a regular basis. In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well. If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.

Link(s):
https://thehackernews.com/2023/06/cybercriminals-hijacking-vulnerable-ssh.html
https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle