Saturday, April 13, 2024
HomeSECURITYProxyjacking is a new active threat to SSH servers

Proxyjacking is a new active threat to SSH servers


Proxyjacking is a new active threat to SSH servers

How hackers profit from other people’s network power by connecting victims to their P2P networks.

Company researchers Akamai report about hackers who want to make money on someone else’s traffic. They are actively campaigning to hack vulnerable SSH-servers and connecting them to your network of proxy nodes.

“This is an active campaign in which an attacker uses SSH for remote access, running malicious scripts that silently connect victims’ servers to a peer-to-peer (P2P) proxy networks such as Peer2Profit or Honeygain,” said Allen West, researcher at Akamai.

Unlike cryptojacking, in which the resources of an infected system are used to illegally mine cryptocurrency, proxyjacking allows attackers to use the unused bandwidth of the victim to covertly run various services as a P2P node.

This has a double benefit – not only does it allow the attacker to monetize additional traffic with a much lower load on the victim’s resources, but it also significantly reduces the likelihood of detection.

Even worse, the anonymity provided by proxy services can be a powerful weapon in the sense that it can be misused by hackers to hide the source of their attacks by routing all traffic through intermediate nodes.

Akamai, who discovered this campaign on June 8, 2023, reported that it was aimed at hacking vulnerable SSH servers and deploying an obfuscated script bashwhich, in turn, is able to obtain the necessary dependencies from the infected web server, including the “curl” command line tool disguised as css-file (“csdark.css”).

The hidden script also actively seeks out and terminates competing instances of similar malware before being launched, which share the victim’s bandwidth for profit.

Further investigation of the web server of the cryptocriminals revealed that it is also used to host a cryptocurrency miner, indicating that the attackers are actively engaged in both cryptojacking and proxyjacking.

Although the software to provide proxy connections is not malicious in itself, Akamai researchers noted that “some of these services do not properly check the source IP-addresses on the network”, which exposes users to a very real risk.

Akamai representatives noted that standard security practices still remain an effective mechanism for preventing malicious activity. Strong passwords, multi-factor authentication, timely updates, and careful system logging will help you avoid compromise, or at least notice it in time.

Source link


Please enter your comment!
Please enter your name here

Most Popular