Hacked SSH servers and proxyjacking: a lucrative monetization scheme

The rise of proxyjacking attacks

Cybercriminals use hacked SSH servers for proxyjacking attacks

The cybersecurity landscape has recently seen the emergence of a new and concerning threat known as proxyjacking attacks. These sophisticated campaigns specifically target vulnerable SSH servers that are publicly available online, exploiting them for a highly profitable monetization scheme. The perpetrators of these malicious activities intend to profit from proxyware services that reward the sharing of unused internet bandwidth.

Proxyjacking, like its counterpart cryptojacking,^[1] is a low-effort, high-reward tactic used by cybercriminals. They gain unauthorized access to a vast network of devices by compromising SSH servers, which they can then use to their advantage. While cryptojacking involves mining cryptocurrencies using hacked systems, proxyjacking works on a different principle. Instead of directly affecting the stability and usability of the compromised servers, proxyjacking steals their unused bandwidth.

The stealthy nature of proxyjacking

The ability to go undetected is what makes proxyjacking so dangerous. Unlike other cyberattacks that disrupt system stability and usability, proxyjacking operates solely on the unused bandwidth of the hacked servers. This covert approach allows hackers to operate beneath the radar, making it more difficult for victims to detect that their systems have been compromised.

Furthermore, proxyjacking does not rely on the use of proxies to conceal malicious activity; rather, the cybercriminals behind this campaign are solely concerned with monetization via commercial proxyware services. According to Allen West, an Akamai security researcher, it is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain.

The ongoing battle and implications

As security experts investigate these proxyjacking attacks further, they have made concerning discoveries. While investigating the campaign, Akamai came across a list that included the IP address that prompted the investigation, as well as over 16,500 other proxies shared on an online forum. Akamai first became aware of the attacks on June 8 when multiple SSH connections were made to honeypots managed by the company's Security Intelligence Response Team (SIRT).

Once inside a compromised SSH server, the attackers executed a Base64-encoded Bash script that added the compromised systems to proxy networks such as Honeygain or Peer2Profit. Furthermore, the script created a container by downloading Docker images associated with these networks while disabling competing bandwidth-sharing containers.

Further investigation revealed that the compromised servers contained cryptominers, exploits, and hacking tools. This suggests that threat actors have either fully embraced proxyjacking or are using it as an additional passive income stream. Allen West added:

It is a stealthier alternative to cryptojacking and has serious implications that can increase the headaches that proxied Layer 7 attacks already serve.

This proxyjacking campaign is one of many that enroll compromised systems in proxyware services such as Honeygain, Nanowire, Peer2Profit, IPRoyal, and others. Previous Cisco Talos^[2] and Ahnlab^[3] reports have also highlighted these trends. In April, Sysdig discovered proxyjackers who used the Log4j vulnerability^[4] to gain initial access, earning up to $1,000 for every 100 devices added to their proxyware botnet.

The ongoing battle against proxyjacking emphasizes the importance of strong cybersecurity measures. To reduce the risk of falling victim to these lucrative monetization schemes, organizations and individuals must remain vigilant, keeping their SSH servers secure and implementing regular security updates.