Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Proxy Server. Show all posts

The Critical Role of Proxy Servers in Modern Digital Infrastructure

In order to connect an individual user or entire network to the broader internet, a proxy server serves as an important gateway that adds a critical level of protection to the broader internet at the same time. In order to facilitate the connection between end users and the online resources they access, proxy servers act as intermediaries between them. 

They receive requests from the user for web content, obtain the information on their behalf, and forward the information to the client. As a result of this process, not only is network traffic streamlined, but internal IP addresses can be hidden, ensuring that malicious actors have a harder time targeting specific devices directly. 

By filtering requests and responses, proxy servers play a vital role in ensuring the safety of sensitive information, ensuring the enforcement of security policies, and ensuring the protection of privacy rights. 

The proxy server has become an indispensable component of modern digital ecosystems, whether it is incorporated into corporate infrastructures or used by individuals seeking anonymity when conducting online activities. As a result of their ability to mitigate cyber threats, regulate access, and optimize performance, businesses and consumers alike increasingly rely on these companies in order to maintain secure and efficient networks.

Whether it is for enterprises or individuals, proxy servers have become a crucial asset, providing a versatile foundation for protecting data privacy, reinforcing security measures, and streamlining content delivery, offering a variety of advantages for both parties. In essence, proxy servers are dedicated intermediaries that handle the flow of internet traffic between a user's device and external servers, in addition to facilitating the flow of information between users and external servers. 

It is the proxy server that receives a request initiated by an individual—like loading a web page or accessing an online service—first, then relays the request to its intended destination on that individual's behalf. In the remote server, a proxy is the only source of communication with the remote server, as the remote server recognizes only the proxy's IP address and not the source's true identity or location. 

In addition to masking the user's digital footprint, this method adds a substantial layer of anonymity to the user's digital footprint. A proxy server not only hides personal details but also speeds up network activity by caching frequently requested content, filtering harmful or restricted content, and controlling bandwidth. 

Business users will benefit from proxy services since they are able to better control their web usage policies and will experience a reduction in their exposure to cyber threats. Individuals will benefit from proxy services because they can access region-restricted resources and browse more safely. 

Anonymity, performance optimization, and robust security have all combined to become the three most important attributes associated with proxy servers, which allow users to navigate the internet safely and efficiently, no matter where they are. It is clear from the definition that proxy servers and virtual private networks (VPNs) serve the same purpose as intermediaries between end users and the broader Internet ecosystem, but that their scope, capabilities, and performance characteristics are very different from one another. 

As the name suggests, proxy servers are primarily created to obscure a user's IP address by substituting it with their own, thus enabling users to remain anonymous while selectively routing particular types of traffic, for example, web browser requests or application data. 

Proxy solutions are targeted towards tasks that do not require comprehensive security measures, such as managing content access, bypassing regional restrictions, or balancing network loads, so they are ideal for tasks requiring light security measures. By contrast, VPNs provide an extremely robust security framework by encrypting all traffic between an individual's computer and a server, thus providing a much more secure connection. 

Because VPNs protect sensitive data from interception or surveillance, they are a great choice for activities that require heightened privacy, such as secure file transfers and confidential communication, since they protect sensitive data from interception or surveillance. While the advanced encryption is used to strengthen VPN security, it can also cause latency and reduce connection speeds, which are not desirable for applications that require high levels of performance, such as online gaming and media streaming. 

Proxy servers are straightforward to operate, but they are still highly effective in their own right. A device that is connected to the internet is assigned a unique Internet Protocol (IP) address, which works a lot like a postal address in order to direct any online requests. When a user connects to the internet using a proxy, the user’s device assumes that the proxy server’s IP address is for all outgoing communications. 

A proxy then passes the user’s request to the target server, retrieves the required data, and transmits the data back to the user’s browser or application after receiving the request. The originating IP address is effectively concealed with this method, minimizing the chance that the user will be targeted, tracked, profiled, or tracked through this method. 

Through masking network identities and selectively managing traffic, proxy servers play a vital role in maintaining user privacy, ensuring compliance, and enabling secure, efficient access to online resources. It has been shown that proxy servers have a number of strategic uses that go far beyond simply facilitating web access for businesses and individuals. 

Proxy servers are effective tools in both corporate and household settings for regulating and monitoring internet usage and control. For example, businesses can configure proxy servers to limit employee access to non-work related websites during office hours, while parents use similar controls to limit their children from seeing inappropriate content. 

 As part of this oversight feature, administrators can log all web activity, enabling them to monitor browsing behaviour, even in instances where specific websites are not explicitly blocked. Additionally, proxy servers allow for considerable bandwidth optimisation and faster network performance in addition to access management. 

The caching of frequently requested websites on proxies reduces redundant data transfers and speeds up load times whenever a large number of people request the same content at once. Doing so not only conserves bandwidth but also allows for a smoother, more efficient browsing experience. Privacy remains an additional compelling advantage as well. 

When a user's IP address is replaced with their own by a proxy server, personal information is effectively masked, and websites are not able to accurately track users' locations or activities if they don't know their IP address. The proxy server can also be configured to encrypt web requests, keeping sensitive data safe from interception, as well as acting as a gatekeeper, blocking access to malicious domains and reducing cybersecurity threats. 

They serve as gatekeepers, thereby reducing the risk of data breaches. The proxy server allows users, in addition to bypassing regional restrictions and censorship, to route traffic through multiple servers in different places. This allows individuals to access resources that would otherwise not be accessible while maintaining anonymity. In addition, when proxies are paired up with Virtual Private Networks (VPN), they make it even more secure and controlled to connect to corporate networks. 

In addition to forward proxies, which function as gateways for internal networks, they are also designed to protect user identities behind a single point of entry. These proxies are available in a wide variety of types, each of which is suited to a specific use case and specific requirements. 

It is quite common to deploy transparent proxies without the user's knowledge to enforce policies discreetly. They deliver a similar experience to direct browsing and are often deployed without the user's knowledge. The anonymous proxy and the high-anonymity proxy both excel at concealing user identities, with the former removing all identifying information before connecting to the target website. 

By using distortion proxies, origins are further obscured by giving false IP addresses, whereas data centre proxies provide fast, cost-effective access with infrastructure that is not dependent upon an internet service provider. It is better to route traffic through authentic devices instead of public or shared proxies but at a higher price. Public or shared proxies are more economical, but they suffer from performance limitations and security issues. 

SSL proxies are used to encrypt data for secure transactions and improve search rankings, while rotating proxies assign dynamic IP addresses for the collection of large amounts of data. In addition, reverse proxies provide additional security and load distribution to web servers by managing incoming traffic. Choosing the appropriate proxy means balancing privacy, speed, reliability, and cost. It is important to note that many factors need to be taken into account when choosing a proxy. 

The use of forward proxies has become significantly more prevalent since web scraping operations combined them with distributed residential connections, which has resulted in an increasing number of forward proxies being created. In comparison to sending thousands of requests for data from a centralized server farm that might be easily detected and blocked, these services route each request through an individual home device instead. 

By using this strategy, it appears as if the traffic originated organically from private users, rather than from an organized scraping effort that gathered vast amounts of data from public websites in order to generate traffic. This can be achieved by a number of commercial scraping platforms, which offer incentives to home users who voluntarily provide a portion of their bandwidth via installed applications to scrape websites. 

On the other hand, malicious actors achieve a similar outcome by installing malware on unwitting devices and exploiting their network resources covertly. As part of regulatory mandates, it is also common for enterprises or internet service providers to implement transparent proxies, also known as intercepting proxies. These proxies quietly record and capture user traffic, which gives organisations the ability to track user behaviour or comply with legal requirements with respect to browsing habits. 

When advanced security environments are in place, transparent proxies are capable of decrypting encrypted SSL and TLS traffic at the network perimeter, thoroughly inspecting its contents for concealed malware, and then re-encrypting the data to allow it to be transmitted to the intended destination. 

A reverse proxy performs an entirely different function, as it manages inbound connections aimed at the web server. This type of proxy usually distributes requests across multiple servers as a load-balancing strategy, which prevents performance bottlenecks and ensures seamless access for end users, especially during periods of high demand. This type of proxy service is commonly used for load balancing. 

In the era of unprecedented volumes of digital transactions and escalating threat landscape, proxy servers are more than just optional safeguards. They have become integral parts of any resilient network strategy that is designed for resilience. A strategic deployment of proxy servers is extremely important given that organizations and individuals are moving forward in an environment that is shaped by remote work, global commerce, and stringent data protection regulations, and it is imperative to take proper consideration before deploying proxy servers. 

The decision-makers of organizations should consider their unique operational needs—whether they are focusing on regulatory compliance, optimizing performance, or gathering discreet intelligence—and choose proxy solutions that align with these objectives without compromising security or transparency in order to achieve these goals. 

As well as creating clear governance policies to ensure responsible use, prevent misuse, and maintain trust among stakeholders, it is crucial to ensure that these policies are implemented. Traditionally, proxy servers have served as a means of delivering content securely and distributing traffic while also fortifying privacy against sophisticated tracking mechanisms that make it possible for users to operate in the digital world with confidence. 

As new technologies and threats continue to develop along with the advancement of security practices, organizations and individuals will be better positioned to remain agile and protect themselves as technological advancements and threats alike continue to evolve.

Understanding VoIP DDoS Attacks: Prevention and Mitigation Strategies

 


A distributed denial-of-service (DDoS) attack targets a VoIP server by overwhelming it with phony user requests. This excessive traffic can exceed the network’s capacity, causing service disruptions and making genuine user requests unprocessable. Online criminals exploit these attacks to disrupt Voice Over Internet Protocol (VoIP) network services, the backbone of modern business phone systems and customer service software. VoIP services are particularly susceptible to DDoS attacks, as even a failed attempt can significantly degrade voice call quality and reliability. 
  
Modus Operandi of VoIP DDoS Attacks 
 
DDoS attacks aim to overwhelm a network with fake traffic, resulting in service denial for legitimate users. A typical VoIP server managing hundreds of calls per hour might struggle to respond to thousands of requests per second during an attack. Key attack methods include:
  • Botnets: Hackers deploy large networks of compromised devices, such as PCs, routers, mobile phones, and IoT devices, to generate attack traffic.
  • SIP Flood Attack: The attacker sends numerous Session Initiation Protocol (SIP) call requests, crashing the victim's VoIP server.
  • SIP Reflection Attack: Hackers spoof the victim's IP address and send queries to random servers, which flood the victim’s server with responses, overloading it.
Mitigation Tips to Defend Against VoIP DDoS Attacks 
 
Adopting robust defense mechanisms can help protect VoIP systems from DDoS attacks. Key strategies include: 
  
1. Use a Reverse Proxy A reverse proxy acts as an intermediary between clients and servers, handling and filtering requests to shield the server. Benefits include:
  • Regulating inbound traffic to ensure only legitimate requests pass through.
  • Disguising the origin server's IP address to prevent direct targeting by hackers.
  • Minimizing latency by offloading tasks such as encrypting and decrypting TLS/SSL communications.
2. Real-Time Network Monitoring Real-time monitoring tools establish a baseline of regular activity to detect anomalies. These tools:
  • Identify unusual network behavior, enabling rapid responses to DDoS-induced traffic spikes.
  • Protect endpoint protocols and IP blocks from malicious requests.
  • Help prevent VoIP fraud by detecting and mitigating suspicious activities.
3. Implement Rate Limiting Rate limiting reduces the impact of malicious bot traffic by controlling the volume of requests. It works by:
  • Delaying or blocking excessive requests from a single IP or multiple sources.
  • Setting thresholds to limit the frequency of actions within a specific time frame.
  • Ensuring only legitimate traffic reaches critical resources.
Rate limiting effectively curtails attackers' ability to sustain a successful DDoS attack. 

VoIP DDoS attacks pose significant risks to modern communication systems, but proactive measures can mitigate these threats. By using reverse proxies, adopting real-time monitoring tools, and implementing rate-limiting techniques, organizations can safeguard their VoIP infrastructure against malicious traffic and ensure uninterrupted services.

Proxyjacking Threat: Exploited SSH Servers for Sale on the Dark Web

A new attack targeting Secure Shell (SSH) servers has surfaced in the constantly changing world of cybersecurity. Concerningly, exploited SSH servers are now being provided as proxy pools on the dark web, which is a worrying trend. The integrity of global digital infrastructures as well as the security of sensitive data are seriously jeopardized by this trend.

The Proxyjacking Menace

Proxyjacking, as it is now termed, involves cybercriminals compromising SSH servers and selling them on the dark web as part of proxy pools. These servers are then used as a gateway for malicious activities, bypassing traditional security measures and gaining unauthorized access to networks. This technique allows attackers to conceal their true identity and location, making it difficult for cybersecurity professionals to trace and mitigate the threat.

Cloudflare, a prominent cybersecurity firm, highlights the significance of SSH in secure networking. SSH tunneling is a powerful tool for encrypting connections and safeguarding sensitive data during transmission. However, when these tunnels are breached, they become a potential point of vulnerability. Cloudflare emphasizes the need for robust security measures to protect against SSH-related threats.

SSH Tunneling and its Vulnerabilities

SSH tunneling is widely used to establish secure connections over untrusted networks. However, when improperly configured or outdated, SSH servers become susceptible to exploitation. Cybercriminals are quick to capitalize on these vulnerabilities, using compromised servers to launch attacks that can lead to data breaches, unauthorized access, and network compromise.

The exploitation of SSH servers for proxy jacking poses a significant risk to organizations and individuals alike. By leveraging these compromised servers, attackers can gain access to sensitive information, compromise critical systems, and disrupt operations. The consequences of such breaches can be severe, ranging from financial losses to reputational damage.

To defend against this emerging threat, organizations must prioritize the security of their SSH servers. Regularly updating and patching systems, implementing strong access controls, and employing advanced intrusion detection systems are essential to fortifying defenses against proxy jacking attacks. Furthermore, organizations should consider monitoring the dark web for any indications of compromised servers associated with their domains.

Proxyjacking has become more prevalent due to vulnerable SSH servers, which emphasizes the constant necessity for cybersecurity awareness. Being knowledgeable about new strategies and bolstering defenses are essential as cyber threats continue to change. Organizations may preserve their digital assets and shield themselves from the sneaky threat of proxyjacking by putting in place strong security measures and being diligent in monitoring for any breaches.



WhatsApp Allows Communication Amid Internet Outages

On January 5, WhatsApp revealed a new feature that enables users to connect via proxy servers so they may continue using the service even when the internet is restricted or disrupted by shutdowns.

Concept of Whatsapp proxy 

When selecting a proxy, users can connect to WhatsApp via servers run by individuals and groups devoted to promoting free speech throughout the world. According to WhatsApp, using a proxy connection preserves the app's privacy and security settings, and end-to-end encryption will continue to secure private conversations. As per the firm, neither the proxy servers, WhatsApp, nor Meta will be able to see the communications that are sent between them.

When it comes to assisting users when WhatsApp is prohibited in a country, the messaging service stated, "If WhatsApp is restricted in your nation, you can utilize a proxy to connect and communicate with loved ones. End-to-end encryption will still be used to protect private communications while using a proxy connection to WhatsApp."

In accordance with the new rules, internet service providers had to remove anything that law enforcement regarded to be illegal and cooperate with police investigations, which included locating the authors of malicious materials.WhatsApp countered this claim by saying that it will continue to secure users' private messages and would not compromise their security for any government.

According to Juras Jurnas of the proxy and online data collecting company Oxylabs, "For persons with government restrictions on internet access, such as was the situation with Iran, utilization of a proxy server can help people keep a connection to WhatsApp as well as the rest of the public, internet free."

After activists in response to the death of Mahsa Amini, 22, while in police detention, the Iranian government restricted access to Instagram and WhatsApp last year. The suspension of Article 370 of the Indian Constitution by the Indian Parliament resulted in a shutdown of the internet in the state of Jammu & Kashmir. This state-imposed lockdown was implemented as a precautionary measure. Only two districts, Ganderbal and Udampur, have 4G availability. After 552 days without internet or with slow internet, the former state was finally connected to 4G on February 6th, 2021.

The business stated it is working to ensure that internet shutdowns never occur and that individuals are not denied human rights or prevented from seeking immediate assistance as these scenarios arise in various locations throughout the world. 

Internet platforms had to comply with police investigations, including locating the authors of malicious information and destroying anything that authorities had determined to be illegal, according to the new legislation.WhatsApp countered that it would maintain the privacy of users' private messages and would not compromise its security for any government.






Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start." 

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."