Online attackers are stealing IP addresses and converting them into cash by selling so-called proxyware services.

The Threat Research team at Sysdig reported Tuesday that malicious actors are installing proxyware on computers without the owner’s knowledge, then selling the unit’s IP address to the proxyware service, making US$10 a month for every compromised device. Happening.

The researchers explained in a company blog that proxyware services allow users to make money by sharing their Internet connection with others. Attackers, however, are taking advantage of the platforms to monetize victims’ internet bandwidth, just as malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.

“Proxyware services are legitimate, but they cater to people who want to circumvent security and restrictions,” said Michael Clarke, director of threat research at Sysdig, a San Francisco-based maker of SaaS platforms for threat detection and response. Said.

“They use residential addresses to bypass bot protection,” he told TechNewsWorld.

For example, buying lots of sneaker brands can be very profitable, but websites put in protections to limit sales to a single pair per IP address, he explained. They use these proxy IP addresses to buy and resell as many pairs as possible.

“Sites rely more heavily on residential IP addresses than on other types of addresses,” he said. “That’s why there’s such a premium on residential addresses, but cloud services and mobile phones are also starting to become desirable for these services.”

food for influencers

These apps are often promoted through referral programs, with many notable “influencers” promoting them for passive income opportunities, says Emmanuel Chavoya, senior manager of product security at SonicWall, a network firewall manufacturer in Milpitas, California. he said.

“Income seekers download software to share their bandwidth and make money,” he told TechNewsWorld.

“However,” he continued, “these proxyware services can expose users to disproportionate levels of risk, as users cannot control the activities performed using their home and mobile IP addresses.”

“There have been instances of users or their infrastructure unwittingly engaging in criminal activity,” he said.

Such activity includes access to potential click-fraud or silent advertising sites, SQL injection probes, and attempts to access the critical /etc/passwd file on Linux and Unix systems (which keeps track of registered users with access to a system). , including crawling government websites. The crawling of personally identifiable information – including national IDs and Social Security numbers – and the bulk registration of social media accounts.

organization careful

Proxyware services can be used to generate Web traffic or manipulate Web search results, explained Timothy Morris, chief security advisor for Tenium, maker of an endpoint management and security platform in Kirkland, Wash.

“Some proxy clients will come with ‘bonus content’ that may be ‘trojanized’ or malicious, providing unauthorized access to the computer running the proxy service, usually for crypto mining,” he told TechNewsWorld.

Sysdig Threat Research Engineer Crystal Morin said organizations affected by proxyware could see an increase in their cloud platform management costs and a drop in service.

“And just because an attacker is doing crypto mining or proxyjacking on your network doesn’t mean that’s all they’re doing,” he told TechNewsWorld.

“There is a concern that if they are using Log4j or some other vulnerability, and they have access to your network,” he continued, “they can do something beyond using the system for profit, so you have to Have to be careful and watch for other malicious activity.

Clark said an organization may also face some reputational risks from proxyjacking.

“There may be illegal activity going on that can be attributed to the company or organization whose IP was taken, and they may end up on a denial list for threat intelligence services, allowing people to leave completely.” There could be a problem with the internet connection of the victim,” he said.

“There could also be a potential law enforcement investigation,” he said.

He added that the proxyjacking activity uncovered by Sysdig researchers was intended to target organizations. “The attackers cast a wide net across the Internet and targeted cloud infrastructure,” he said.

“Typically,” he continued, “we would see this type of attack bundled in Windows adware. This time we are targeting cloud networks and servers, which is more business oriented.”

Log4j vulnerability was exploited

The attackers studied by Sysdig researchers exploited the Log4j vulnerability to compromise their targets. A flaw in a popular open-source Java-based logging utility discovered in 2021 is estimated to have affected 93% of all enterprise cloud environments.

“Millions of systems are still running with vulnerable versions of Log4j, and according to Sensis, more than 23,000 of them are accessible from the Internet,” the researchers wrote.

“Log4j is not the only attack vector for proxyjacking malware to be deployed, but this vulnerability alone could theoretically provide over $220,000 in profit per month,” he said. “More conservatively, a modest settlement of 100 IPs would net a passive income of approximately $1,000 per month.”

While this shouldn’t be an issue, there is still a “long tail” of systems vulnerable to the Log4J vulnerability that haven’t been patched, observed Mike Parkin, a senior technical engineer at Vulkan Cyber, a provider of SaaS for enterprise cyber. . Exposure treatment in Tel Aviv, Israel.

He told TechNewsWorld, “The number of vulnerable systems is going down, but it will still take some time to reach zero – either all of the rest are being patched or the remainder are being found and exploited.” Used to be.”

“The vulnerability is being actively exploited,” Morris said. “There are reports of vulnerable versions still being downloaded.”

protect through investigation

To protect yourself from proxyjacking, Morin recommends robust and continuous real-time threat detection.

“Unlike cryptojacking, where you would see spikes in CPU usage, CPU usage is very low here,” he explained. “So, the best way to detect it is through detection analytics, where you’re looking for the kill chain aspects of the attack — early access, vulnerability exploitation, detection evasion, persistence.”

Chavoya advised organizations to create detailed rules for what types of applications are allowed on end-user devices through application whitelisting.

Whitelisting involves creating a list of approved applications that can run on devices within an organization’s network and preventing any other applications from running.

“This can be a highly effective way to prevent proxyware and other types of malware from running on devices within an organization’s network,” Chavoya said.

“By creating detailed rules for what types of applications are allowed on end user devices, organizations can ensure that only authorized and necessary applications are allowed to run,” he continued.

“This can greatly reduce the risk of proxyjacking and other types of cyber-attacks that rely on unauthenticated applications running on end-user devices,” he concluded.

Canonical is emphasizing the security and usability suitability of Internet of Things (IoT) and edge devices management with its June 15 release of Ubuntu Core 22, a fully containerized Ubuntu 22.04 LTS variant optimized for IoT and edge devices Is.

In line with Canonical’s technology offering, this release brings Ubuntu’s operating system and services to the full range of embedded and IoT devices. The new release includes a fully extensible kernel to ensure timely responses. Canonical partners with silicon and hardware manufacturers to enable advanced real-time features on Ubuntu certified hardware.

“At Canonical, we aim to provide secure, reliable open-source access everywhere – from the development environment to the cloud, to the edge and across devices,” said Mark Shuttleworth, Canonical CEO. “With this release and Ubuntu’s real-time kernel, we are ready to extend the benefits of Ubuntu Core throughout the embedded world.”

One important thing about Ubuntu Core is that it is effectively Ubuntu. It is fully containerized. All applications, kernels and operating systems are strictly limited snaps.

This means it is ultra-reliable and perfect for unattended devices. It has removed all unnecessary libraries and drivers, said David Beamonte Arbushes, product manager for IoT and embedded products at Canonical.

“It uses the same kernel and libraries as Ubuntu and its flavors, and it’s something that developers love, because they can share the same development experience for every Ubuntu version,” he told LinuxInsider.

He said it has some out-of-the-box security features such as secure boot and full disk encryption to prevent firmware replacement, as well as firmware and data manipulation.

certified hardware key

Ubuntu’s certified hardware program is a key distinguishing factor in the industry’s response to Core OS. It defines a range of trusted IoT and edge devices to work with Ubuntu.

The program typically includes a commitment to continuous testing of certified hardware in Canonical’s laboratories with every security update throughout the device’s lifecycle.

Advantech, which provides embedded, industrial, IoT and automation solutions, strengthened its participation in the Ubuntu Certified Hardware program, said Eric Cao, director of Advantech Wise-Edge+.

“Canonical ensures that certified hardware undergoes an extensive testing process and provides a stable, secure and optimized Ubuntu core to reduce market and development costs for our customers,” he said.

Another usage example, Brad Kehler, COO of KMC Controls, is the security benefits that Core OS brings to the company’s range of IoT devices, which are purpose-built for mission-critical industrial environments.

“Safety is of paramount importance to our customers. We chose Ubuntu Core for its built-in advanced security features and robust over-the-air update framework. Ubuntu Core comes with a 10-year security update commitment that allows us to keep devices safe in the field for their longer life. With a proven application enablement framework, our development team can focus on building applications that solve business problems,” he said.

solving major challenges

IoT manufacturers face complex challenges to deploy devices on time and within budget. As the device fleet expands, so too does ensuring security and remote management are taxing. Ubuntu Core 22 helps manufacturers meet these challenges with an ultra-secure, resilient and low-touch OS, backed by a growing ecosystem of silicon and original design maker partners.

The first major challenge is to enable the OS for their hardware, be it custom or generic, the well-known Arbus. It’s hard work, and many organizations lack the skills to perform kernel porting tasks.

“Sometimes they have in-house expertise, but development can take a lot longer. This can affect both time and budget,” he explained.

IoT devices should be mostly unattended. They are usually deployed in places with limited or difficult access, he offered. It is therefore essential that they be extremely reliable. It is costly to send a technician to the field to recover a bricked or unstarted device, so reliability, low touch, and remote manageability are key factors in reducing OpEx.

He added that this also adds to the challenge of managing the software of the devices. A mission-critical and bullet-proof update mechanism is critical.

“Manufacturers have to decide early in their development whether they are going to use their own infrastructure or third parties to manage the software for the devices,” Arbus said.

Beyond Standard Ubuntu

The containerized feature of Core 22 extends beyond the containerized features in non-core Ubuntu OSes. In Ubuntu Desktop or Server, the kernel and operating system are .deb packages. Applications can run as .deb or snap.

“In Ubuntu Core, all applications are strictly limited snap,” Arbusue continued. “This means that there is no way to access them from applications other than using some well-defined and secure interfaces.”

Not only applications are snaps. So are the kernel and operating system. He said that it is really useful to manage the whole system software.

“Although classic Ubuntu OSes can use Snaps, it is not mandatory to use them strictly limited, so applications can have access to the full system, and the system can have access to applications.”

Strict imprisonment is mandatory in Ubuntu Core. Additionally, both the kernel and the operating system are strictly limited snaps. In addition, the classic Ubuntu versions are not optimized for size and do not include some of the features of Ubuntu Core, such as secure boot, full disk encryption, and recovery mode.

Other Essential Core 22 Features:

  • Real-time compute support via a real-time beta kernel provides high performance, ultra-low latency and workload predictability for time-sensitive industrial, telco, automotive and robotics use cases.
  • There is a dedicated IoT App Store in the dedicated App Store for each device running Ubuntu Core. It provides complete control over apps and can create, publish and distribute software on a single platform. The IoT App Store provides enterprises with a sophisticated software management solution, enabling a range of new on-premises features.
  • Transactional control for mission-critical over-the-air (OTA) updates of kernel, OS, and applications. These updates will always complete successfully or automatically revert to the previous working version so that a device cannot be “britched” by an incomplete update. Snap also provides delta updates to reduce network traffic, and digital signatures to ensure software integrity and provenance.

More information about Ubuntu Core 22 can be found at ubuntu.com/core.

Download images for some of the most popular platforms or browse all supported images here.