Researchers on Thursday reported on advances in cybercriminal proxy services that feature “unblocked” IP addresses — used in a series of credential stuffing attacks in one week against U.S. companies in which more than 187,000 IP addresses were used to try and defraud organizations and their clients.
In a blog post, researchers at DomainTools identified these new malicious proxy services as "Black Proxies." The Black Proxies are marketed to other cybercriminals for their reliability, scope and overwhelming number of IP addresses.
The researchers said the scale of Black Proxies is “a factor larger” than other observed services, given their focus on both the traditional forms of IP proxying and the use of compromised websites, as well as embracing these new methods of commandeering IP space for their illegal activities.
Black Proxies are simply a new "as-a-service" way for adversaries to hide their command-and-control infrastructures behind legitimate IP addresses — but they also highlight the need for defenders to adopt more modern tactics to detect them, said Phil Neray, vice president of cyber defense strategy at CardinalOps. Neray said security operations centers (SOCs) should monitor for unusual or unauthorized behavior in their networks rather than relying on static indicators of compromise (IOCs) like IP addresses.
“For example, MITRE ATT&CK is a knowledge base that tracks the tactics, techniques, and procedures of several hundred adversary groups, based on their known playbooks and how they move through the kill chain,” said Neray. “This is a much more reliable method of detecting them, so they can be contained before they can have a material impact on an organization.”