An increasingly popular form of fraud that utilizes legitimate proxyware services to hijack legitimate ones has been identified by threat actors. Some services allow people to sell Internet bandwidth to third parties to make extra money. According to researchers from Sysdig Threat Research Team (TRT), large-scale attacks exploiting cloud-based systems can bring cybercriminals hundreds of thousands of dollars of passive income per month by exploiting this vector - dubbed "proxy jacking" - that is used by attackers to obtain access to the server.
Many companies now charge customers a fee for using a different Internet Protocol (IP) address when watching YouTube videos that aren’t available in their region, scraping and surfing the web without attribution, or browsing dubious websites without attribution of their IP address. This kind of service can be found in dozens of companies now.
As part of the proxyware ecosystem, you can find legitimate businesses overseas selling it as proxyware. These businesses include IPRoyal, Honeygain, and Peer2Profit. The concept has, as expected, also attracted the attention of cybercriminals, and its potential can also be exploited.
As proxyware services have grown and become popular in recent years, proxy jacking has become an increasingly prevalent phenomenon brought about by this growing use. Proxyware services offer legitimate and non-malicious applications or software that can be installed on any internet-connected device as long as it is not connected to malicious websites or programs.
When you run this program, you share your internet bandwidth with others when the program is asked to share an IP address with you.
Sysdig says proxy hacking could even be as lucrative and easier to commit as it is less computationally demanding and energy-consuming than actual hacking because it uses less energy.
This report claims that an attacker sold the victim's IP addresses to proxyware services for profit to profit from the attack. There is a method known as proxy jacking. This is where a threat actor installs proxyware on an unsuspecting victim's computer to segment their network. The goal here is to resell bandwidth to compromised devices for a price of $10 per month, allowing the operation to be profitable. Victims are consequently exposed to higher costs and risks than they would otherwise be.
IP addresses can also be abused to commit crimes in a variety of ways, including as a means to steal personal information. The Cisco Talos Intelligence Group and AhnLab Security researchers have identified that in recent years attacks have been perpetrated where, without a person's knowledge, the IP address of their device has been permanently changed and infected adware has been used to secretly take over the device. Neither company isolated the practice from crypto mining, which involves hacking into compromised systems and mining cryptocurrency.
Log4j vulnerability was discovered by Chinese researchers in December 2021, and reported by many news outlets. In response to the issue, governments and businesses around the globe launched a global initiative designed to address it. Cybercriminals still exploit this bug to gain access to sensitive information. It has been reported that millions of computers still run vulnerable versions of Log4j based on data from the security company Censys. Various data can be recorded and stored with this software, depending on the service and device being used.
Even though other attacks have been seen in proxy jacking incidents, researchers believe that the Log4j vulnerability appears to be the most popular method of attack.
Mike Parkin, director of Vulcan Cyber's security operations, said in an interview that if Log4j's "long tail" is anything to go by, then it will take a while before the number of vulnerable systems will just disappear altogether.
As per Sysdig's identification of the case, hackers exploited the Kubernetes infrastructure by exploiting the services it offers. Kubernetes container orchestration system is an open-source system for orchestrating software container deployment. Specifically, the hackers exploited a vulnerability in Apache Solr. This vulnerability, if not patched, makes it possible for them to take control of the container and execute a proxy jacking attack on the container.
It is estimated that the amount of money an attacker can net from crypto-jacking and proxy jacking will be about the same each month - proxy jacking is even likely to be more lucrative today given the current crypto-exchange rates and proxyware payment schedules.
There is, however, no doubt that most monitoring software will use CPU usage (and it's for very good reason) as one of their first (and most important) metrics. Proxy jacking has minimal system impact. A single gigabyte of traffic spread across a month would be the equivalent of tens of megabytes a day - very unlikely to make a noticeable impact.
You should remember that the IP address market can often lead to other problems. Several researchers have suggested that it is still possible for your internet bandwidth to be misused or stolen if you sell it knowingly to a proxyware service, according to Sysdig's and other researchers' findings.
As easy as purchasing and using your shared internet, an attacker can do the same to launch an attack against you. Researchers from Sysdig explained how malicious attackers employ proxy servers to conceal command, control activities, and identify information.
