Sysdig Details Proxyjacking Attack Leveraging Log4j Vulnerability

Sysdig today published a report that described how cybercriminals are exploiting the Log4j vulnerability to gain access to IP addresses that are then sold to entities that resell them.

Dubbed proxyjacking, the attacks enable cybercriminals to resell bandwidth to providers of proxyware services that allow someone to hide their physical location. Cybercriminals are using the Log4j vulnerability to install agent software and create a proxy server that allows them to sell the IP to a proxyware service.

In the proxyjacking attack that Sysdig discovered, cyberattackers targeted Kubernetes infrastructure running an unpatched Apache Solr service to take control of a container. The attacker then executed a command to download a malicious script and place it in the /tmp folder to gain privileged access.

The attacker’s first execution involved downloading an ELF file renamed /tmp/p32, which was then executed with some parameters, including the email address [email protected] [.]com and the associated password for their pawns[.]app proxyware account made available by IP Royal. By analyzing the binary downloaded and executed in the malicious script, it was possible to correlate it with the command line interface (CLI) version of the IPRoyal Pawns application from GitHub, which uses the same parameters in input. Once the attacker ran the malicious binary, they started executing commands to evade detection and achieve persistence by cleaning the compromised pod; clearing the history and removing the file they dropped in the containers and the temp files.

Michael Clark, director of threat research for Sysdig, said that while proxyware services are legitimate, not all of them scrupulously investigate how access to IP addresses is provided to them.

Cybercriminals, in effect, are using the same techniques employed to illicitly mine cryptocurrency to now hijack IP addresses, he added.

More troubling still, these attacks create a backdoor through which cybercriminals could later implant malware, noted Clark.
Complacency is the biggest challenge cybersecurity teams often encounter when trying to combat these attacks. There is a tendency to view infrastructure resource hijacking as a nuisance crime that results in relatively small incremental costs. To the contrary, the cybercriminals that launch these attacks are often part of a much larger ecosystem that includes entities willing to pay to access the backdoors that have been created. While that may appear to be the digital equivalent of petty crime, it’s only a matter of time before there is an escalation to more serious acts.

Many of the proxyware attacks are typically aimed at consumers that are not even aware they have been compromised. However, Clark noted these attacks are now being launched against servers run by IT teams.

Cybersecurity professionals are not going to tolerate any type of breach, but discovering these types of low-level attacks is challenging. They may exist for months before being discovered in the wake of a more malicious malware infestation that was enabled by an earlier proxyjacking or cryptojacking attack. The challenge, as always, is thoroughly investigating what may appear to be small incursions before they enable a major attack.

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 565 posts and counting. See all posts by mike-vizard