Proxyjacking: A New Wave of Cyberattacks Targets SSH Servers
A New Hacker Method Using Obfuscated Scripts
This story is developing. Overt Operator will provide updates as new information becomes available.
The last decade has seen a steady evolution in the methods and tactics employed by cybercriminals, with the recent emergence of an attack vector known as 'proxyjacking' adding to the ever-growing list of cybersecurity concerns.
Researchers from the Akamai Security Intelligence Response Team (SIRT) discovered an active threat campaign where threat actors exploit vulnerable Secure Shell Protocol (SSH) servers to monetize network bandwidth through illicit practices.
These cyber criminals employ obfuscated scripts, or scrips that use complex "roundabout phrases", to hijack victim server bandwidth stealthily, integrating them into legitimate proxy networks such as Peer2Proxy or Honeygain. This new type of attack, proxyjacking, leverages SSH for remote access, running malicious scripts that enlist victim servers into these peer-to-peer proxy networks without the victims' knowledge.
Internet-connected devices, when installed with companion apps or software from these networks, effectively become gateways for bandwidth sharing. The cybercriminals behind these proxyjacking campaigns profit by selling access to the IP addresses of the unwitting victims.
This attack vector is particularly troubling due to its stealthy nature and the potential financial incentives for the threat actors. As threat actors exploit widely used SSH servers, which are critical for secure remote administration of systems, makes this a significant cybersecurity threat.
In addition to the exploitation threat, bandwidth hijacking could lead to the degradation of network services or potentially push victims into breaching their internet service providers' fair use policies.
The discovery of this proxyjacking campaign comes amid growing concerns about the increasing sophistication and frequency of cyberattacks globally. Recent events, such as the cyberattack on Russian satellite communications operator Dozor-Teleport, have demonstrated the potential for serious disruptions to critical infrastructure and services.
The Dozor-Teleport attack, perpetrated by an unidentified group of hackers, led to significant disruptions in the services used by energy companies and Russian defense and security services.
The threat landscape is changing rapidly, with cyber criminals continuously finding new and creative ways to exploit vulnerabilities in our digital infrastructure.
As the proxyjacking phenomenon underscores, it is critical for organizations to regularly update their security practices, monitor their networks for unusual activity, and ensure their systems are patched and protected from known vulnerabilities. This is especially true for SSH servers, which, due to their broad usage, represent a particularly attractive target for cyber criminals.