Malware, Cloud Security

Log4j bug abused in new ‘proxyjacking’ attacks to resell bandwidth, abuse enterprise cloud

abuse of proxware leads to threats to enterprise cloud

The Log4j vulnerability is being targeted in new malicious campaigns dubbed "proxyjacking" where adversaries attempt to install the legitimate network segmentation tool called proxyware on unsuspecting victims in order to resell a target's bandwidth for up to $10 a month.

Sysdig’s Threat Research Team, which identified the technique, said adversaries are targeting millions of systems still vulnerable to the Log4j vulnerability. Citing Censys in its research, Sysdig reports 23,000 unpatched systems are vulnerable to the Log4j bug and reachable via the public internet.

"Log4j is not the only attack vector for deploying proxyjacking malware, but this vulnerability alone could theoretically provide more than $220,000 in profit per month," Sysdig researchers wrote in a report outlining the attack on Tuesday.

Proxyjacking abuses non-malicious third-party services marketed primarily to residential internet customers, which allow customers to resell a portion of their "unused" bandwidth. These services, that go by the names Pawns, IPRoyal and Peer2Profit, pay users up to $10 a month. The bandwidth is resold to a variety of customers who pay to use an internet protocol (IP) address and bandwidth for a variety of things including accessing streaming content that may be blocked in geographic regions. 

Cloud infrastructure targeted

"In the proxyjacking attack that the Sysdig TRT discovered, an attacker targeted Kubernetes infrastructure, specifically an unpatched Apache Solr service, in order to take control of the container and proceed with their activities," researchers wrote.

Sysdig did not designate attribution to those carrying out the proxyjacking attacks and did not outline the scope of the attacks, timeline or specific targets or geographic regions impacted.

As Trend Micro explained in a recent post, while non-malicious bandwidth reselling services have guidelines and tools restricting abuse, the services have been abused in the past. Those abuses didn't involve exploiting vulnerable Log4j instances, rather they have been tied to click-fraud campaigns and driving traffic to malvertising sites designed to enroll victims in without their consent. Payouts to customers are then routed to attackers.

The Log4j vulnerability represents a new attack vector for bandwidth bandits, according to Sysdig. Adversaries can skip creating a ruse to lure victims and instead programatically scan the internet for unpatched instances of the Apache Log4j library, which allow for remote code execution attacks.

Abuse hard to stop

Proxyjacking could net an attacker an income of about $9.60 a month for 24 hours of activity for one IP address. Deploying proxyware via Log4j could provide more than $220,000 in profit a month, but a more conservative estimate of compromising 100 IPs would produce nearly $1,000 per month, researchers estimate.

Some of the proxyware services restrict the types of IPs they purchase, while others do not, thereby leaving the door open to running on a server or data center IP.

Proxyjacking is similar in concept to cryptojacking. Where cryptomining software is installed on a victim’s device, so is proxyjacking malware. But unlike cryptomining, which can be detected by monitoring a CPU's usage proxyjacking is hardert to detect. The effects on a system is marginal, according to researchers. One gigabyte of network traffic spread out over a month is likely to go unnoticed, Sysdig researchers said.

While proxyjacking may be viewed as nuisance malware rather than a serious threat, it could cost victims if a cloud service provider charges a customer based on metered traffic. It could also harm the victim if their internet bandwidth is used for illegal or malicious activities, such as a cyberattack. 

The Log4j vulnerability continues to be an abused attack vector, according to security professionals.

Timothy Morris, chief security advisor at Tanium, said users and organizations can protect themselves by only allowing authorized software to be installed, as well as having inventory software and processes to detect unauthorized applications, in addition to monitoring network traffic.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.