An active financial campaign is targeting vulnerable SSH servers to covertly incorporate them into a proxy network.
"This is an active campaign where attackers leverage SSH for remote access, run malicious scripts, and covertly incorporate victim servers into a peer-to-peer (P2P) proxy network such as Peer2Profit or Honeygain.
Unlike cryptojacking, in which compromised system resources are used to illegally mine cryptocurrencies, proxy hijacking provides the threat actor with the opportunity to run different services covertly as a P2P node using unused bandwidth of the victim Ability.
This provides a two-fold benefit: not only does it allow attackers to monetize the extra bandwidth, but it greatly reduces the resource load required to carry out cryptojacking, while also reducing the chance of detection.
"It's a stealthier alternative to cryptojacking, with serious implications that can add to the headaches that proxy Layer 7 attacks already cause," West said.
Worse, the anonymity provided by proxy software services can be a double-edged sword, as they can be abused by malicious actors to route traffic through intermediary nodes to obfuscate the origin of their attacks.
Akamai, which discovered the latest campaign on June 8, 2023, said the campaign was aimed at compromising vulnerable SSH servers and deploying an obfuscated Bash script that in turn had the necessary dependencies from compromised web servers , including access to the curl command line tool by masquerading as a CSS file ("csdark.css").
The stealthy script further proactively searches for and terminates competing instances running bandwidth-sharing services, then starts the Docker service, sharing the victim's bandwidth for profit.
Further inspection of the web server revealed that it was also being used to host a cryptocurrency miner, suggesting that the threat actor has dabbled in both cryptojacking and proxyjacking attacks.
While proxy software isn't inherently evil, Akamai noted that "some of these companies don't properly verify the origin of IPs on the network, and even occasionally recommend that people install the software on their work computers".
But the operation goes beyond cybercrime when an application is installed without the user's knowledge or consent, allowing the threat actor to take control of several systems and generate illicit revenue.
"Old techniques still work, especially when paired with new results," West said. "Standard security practices remain an effective prevention mechanism, including strong passwords, patch management, and meticulous logging."