IPs for sale: Proxyjackers scale up operations, from residential to cloud

If cryptojacking takes advantage of computing power, proxyjacking goes for network connectivity.
article cover

Jaczhou/Getty Images

· 3 min read

One way to get some passive income: Lend out bandwidth. Another, way-less-ethical way: Sell someone else’s without their knowledge.

Residential users can lease their bandwidth and IP addresses—essentially turning their home ISP into a server an outside user, usually a business in need of multiple IP addresses, can use. But it’s not without risk. Back in 2021, Cisco detailed how malicious actors tricked targets to unknowingly install a proxyware platform.

A report last month from the cloud-services security company Sysdig suggested proxyware is moving away from residential environments and into bigger ones with more connectivity to offer. Findings from the April research noted a proxyjacking attacker targeting the Kubernetes platform—an infrastructure that supports cloud-based microservices.

“They’re looking for vulnerabilities that can affect cloud networks. So, it’s a much larger scale,” said Crystal Morin, threat research engineer at Sysdig.

The attack, jack. The attacker obtained initial access into a container by exploiting a Log4j vulnerability present in an enterprise search tool called Apache Solr. A shift to containers and the cloud, as well as to organizations that may be using enterprise-scale tools like Log4j and Solr, ups the scale of the attack.

They’re not necessarily going after home users here, said Johannes Ullrich, dean of research for the SANS Institute. “These servers are of interest here because they’re usually housed in data centers with good network connectivity and have ample bandwidth here to use,” Ullrich told IT Brew.

Proxy, approximately. If cryptojacking takes advantage of computing power to mine money, proxyjacking goes for network connectivity. An attacker breaks into a system, installs a proxyware agent, and cashes in on their IP address and bandwidth.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Proxies have been used to support attack infrastructure. In August of 2021, the Mēris botnet exploited vulnerabilities in MikroTik routers to create a distributed denial-of-service (DDoS) army.

A proxy service also has non-malicious, non-bot-army uses. A gamer may want to disguise geolocation tracking; maybe a marketing department wants to test an online marketing campaign with as many regional IP addresses as possible.

“If you have an [endpoint detection and response] agent or something else protecting the machine, it would not think that it’s a malicious agent, because it’s not actually malware. It’s totally legitimate,” said Anna Belak, director of thought leadership at Sysdig.

Some ways to proxy-prep. The attackers used Log4j, so patch it…and everything else. A late-2022 Tenable Research report found that 72% of organizations still remained susceptible to Log4j exploits.

While cryptojacking efforts are often revealed by their use of compute resources, proxyjacking is more likely to be found by network monitoring tools that spot anomalies, like a spike in outbound connections, said Ullrich.

And if AWS instances are suddenly up for sale, that’s trouble.

“There’s no legitimate business reason to be doing that. So, you could easily block this specific software in certain contexts,” said Belak.

The Sysdig threat research team also recommends setting up billing limits and alerts with communications service providers, to avoid surprising usage bills.

“This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications,” the report concluded.—BH

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.