Online attackers are stealing IP addresses and converting them into cash by selling so-called proxyware services.

The Threat Research team at Sysdig reported Tuesday that malicious actors are installing proxyware on computers without the owner’s knowledge, then selling the unit’s IP address to the proxyware service, making US$10 a month for every compromised device. Happening.

The researchers explained in a company blog that proxyware services allow users to make money by sharing their Internet connection with others. Attackers, however, are taking advantage of the platforms to monetize victims’ internet bandwidth, just as malicious cryptocurrency mining attempts to monetize the CPU cycles of infected systems.

“Proxyware services are legitimate, but they cater to people who want to circumvent security and restrictions,” said Michael Clarke, director of threat research at Sysdig, a San Francisco-based maker of SaaS platforms for threat detection and response. Said.

“They use residential addresses to bypass bot protection,” he told TechNewsWorld.

For example, buying lots of sneaker brands can be very profitable, but websites put in protections to limit sales to a single pair per IP address, he explained. They use these proxy IP addresses to buy and resell as many pairs as possible.

“Sites rely more heavily on residential IP addresses than on other types of addresses,” he said. “That’s why there’s such a premium on residential addresses, but cloud services and mobile phones are also starting to become desirable for these services.”

food for influencers

These apps are often promoted through referral programs, with many notable “influencers” promoting them for passive income opportunities, says Emmanuel Chavoya, senior manager of product security at SonicWall, a network firewall manufacturer in Milpitas, California. he said.

“Income seekers download software to share their bandwidth and make money,” he told TechNewsWorld.

“However,” he continued, “these proxyware services can expose users to disproportionate levels of risk, as users cannot control the activities performed using their home and mobile IP addresses.”

“There have been instances of users or their infrastructure unwittingly engaging in criminal activity,” he said.

Such activity includes access to potential click-fraud or silent advertising sites, SQL injection probes, and attempts to access the critical /etc/passwd file on Linux and Unix systems (which keeps track of registered users with access to a system). , including crawling government websites. The crawling of personally identifiable information – including national IDs and Social Security numbers – and the bulk registration of social media accounts.

organization careful

Proxyware services can be used to generate Web traffic or manipulate Web search results, explained Timothy Morris, chief security advisor for Tenium, maker of an endpoint management and security platform in Kirkland, Wash.

“Some proxy clients will come with ‘bonus content’ that may be ‘trojanized’ or malicious, providing unauthorized access to the computer running the proxy service, usually for crypto mining,” he told TechNewsWorld.

Sysdig Threat Research Engineer Crystal Morin said organizations affected by proxyware could see an increase in their cloud platform management costs and a drop in service.

“And just because an attacker is doing crypto mining or proxyjacking on your network doesn’t mean that’s all they’re doing,” he told TechNewsWorld.

“There is a concern that if they are using Log4j or some other vulnerability, and they have access to your network,” he continued, “they can do something beyond using the system for profit, so you have to Have to be careful and watch for other malicious activity.

Clark said an organization may also face some reputational risks from proxyjacking.

“There may be illegal activity going on that can be attributed to the company or organization whose IP was taken, and they may end up on a denial list for threat intelligence services, allowing people to leave completely.” There could be a problem with the internet connection of the victim,” he said.

“There could also be a potential law enforcement investigation,” he said.

He added that the proxyjacking activity uncovered by Sysdig researchers was intended to target organizations. “The attackers cast a wide net across the Internet and targeted cloud infrastructure,” he said.

“Typically,” he continued, “we would see this type of attack bundled in Windows adware. This time we are targeting cloud networks and servers, which is more business oriented.”

Log4j vulnerability was exploited

The attackers studied by Sysdig researchers exploited the Log4j vulnerability to compromise their targets. A flaw in a popular open-source Java-based logging utility discovered in 2021 is estimated to have affected 93% of all enterprise cloud environments.

“Millions of systems are still running with vulnerable versions of Log4j, and according to Sensis, more than 23,000 of them are accessible from the Internet,” the researchers wrote.

“Log4j is not the only attack vector for proxyjacking malware to be deployed, but this vulnerability alone could theoretically provide over $220,000 in profit per month,” he said. “More conservatively, a modest settlement of 100 IPs would net a passive income of approximately $1,000 per month.”

While this shouldn’t be an issue, there is still a “long tail” of systems vulnerable to the Log4J vulnerability that haven’t been patched, observed Mike Parkin, a senior technical engineer at Vulkan Cyber, a provider of SaaS for enterprise cyber. . Exposure treatment in Tel Aviv, Israel.

He told TechNewsWorld, “The number of vulnerable systems is going down, but it will still take some time to reach zero – either all of the rest are being patched or the remainder are being found and exploited.” Used to be.”

“The vulnerability is being actively exploited,” Morris said. “There are reports of vulnerable versions still being downloaded.”

protect through investigation

To protect yourself from proxyjacking, Morin recommends robust and continuous real-time threat detection.

“Unlike cryptojacking, where you would see spikes in CPU usage, CPU usage is very low here,” he explained. “So, the best way to detect it is through detection analytics, where you’re looking for the kill chain aspects of the attack — early access, vulnerability exploitation, detection evasion, persistence.”

Chavoya advised organizations to create detailed rules for what types of applications are allowed on end-user devices through application whitelisting.

Whitelisting involves creating a list of approved applications that can run on devices within an organization’s network and preventing any other applications from running.

“This can be a highly effective way to prevent proxyware and other types of malware from running on devices within an organization’s network,” Chavoya said.

“By creating detailed rules for what types of applications are allowed on end user devices, organizations can ensure that only authorized and necessary applications are allowed to run,” he continued.

“This can greatly reduce the risk of proxyjacking and other types of cyber-attacks that rely on unauthenticated applications running on end-user devices,” he concluded.