Researchers of the company Akamai report an active campaign by cybercriminals to earn money through someone else’s traffic. The attackers are targeting vulnerable SSH servers and connecting them to their network of proxies.
Allen West, a researcher at Akamai, explains, “This is an active campaign where the attacker gains remote access through SSH and deploys malicious scripts that secretly connect the victims’ servers to a peer-to-peer (P2P) proxy network, such as PEER2Profit or Honeygain.”
Unlike cryptomining, which exploits the resources of infected systems to illegally mine cryptocurrencies, proxyjacking allows attackers to utilize the unused bandwidth of the victims’ servers by hiding their malicious activities as P2P nodes.
This technique offers a dual advantage, enabling the attackers to monetize additional traffic with minimal impact on the victims’ resources and reducing the chances of detection.
Furthermore, the anonymity provided by proxy services can be weaponized by hackers to hide the source of their attacks by routing all the traffic through intermediate nodes.
Akamai experts discovered this campaign on June 8, 2023, specifically targeting vulnerable SSH servers. They found a well-crafted Bash script that retrieves necessary dependencies, including the CURL tool command line disguised as a CSS file called “csdark.css.”
The secretive script actively scans for and terminates competing malicious scripts based on the victim’s capacity for profitability.
The examination of the compromised web server revealed its use for cryptocurrency mining, indicating that the attackers are involved in both cryptojacking and proxyjacking.
Although the software used for providing proxy connections is not inherently malicious, Akamai researchers warn that “some of these services fail to properly verify the source of IP addresses on the network,” exposing users to potential risks.
Akamai representatives emphasize that following standard security practices remains an effective means to prevent such malicious activities. Implementing strong passwords, multifactor authentication, timely updates, and thorough system log maintenance can help avoid compromises or detect them in a timely manner.