It has been more than a year since Apache released details on a critical vulnerability in Log4j, which made headlines and impacted organizations around the world, however threat actors are still exploiting it. This time through proxyjacking.
In a report released yesterday, the Sysdig’s Threat Research (TRT) has detected a new attack, dubbed proxyjacking, which leverages the Log4j vulnerability for initial access.
According to the report, the attacker then sells the victim’s IP addresses to proxyware services for profit. Proxyjacking is where a threat actor attempt to install proxyware — a legitimate network segmentation tool — on unsuspecting victims’ systems with the goal to resell bandwidth for as much as $10 per month per compromised device. This exposes the victims to additional costs and risks.
“While Log4j attacks are common, the payload used in this case was rare. Instead of the typical cryptojacking or backdoor payload, we witnessed the attacker installing an agent that turned the compromised account into a proxy server, allowing the attacker to sell the IP to a proxyware service and collect the profit,” the report stated.
While Log4j is not the only attack vector used for deploying proxyjacking malware, Sysdig said that vulnerability alone could theoretically provide more than $220,000 in profit per month. While some proxy services have restrictions regarding the types of IPs they will purchase and share, there are others that don’t.
While proxyjacking attacks may not be considered a serious threat and instead as simply nuisance malware, it shouldn’t be taken lightly. These type of attacks might not directly result in data destruction or intellectual property theft, they could be indirect results.
“What harm do proxyware services cause to their victims? It depends on the specific proxyware in use, but it can range from "nothing" to making the unsuspecting user the target in a criminal investigation,” said Vulcan Cyber Senior Technical Engineer Mike Parkin. “That last is very unlikely, but what is likely is them being part of some shady business they probably wouldn't approve of if they knew. Some of the proxyware apps are legitimate and fully above boards, but quite a few are somewhat questionable.”
Cybersecurity leaders weigh in
“Log4Shell should still be considered a threat to any organization that has not updated and applied patches to assets and products affected by it and other Log4J-related vulnerabilities,” said Zane Bond, head of product at Keeper Security. “Organizations must take a proactive approach to regularly updating software and immediately patching vulnerabilities that can be exploited in cyberattacks.”
“A critical aspect of protecting against proxyjacking is keeping threat actors out altogether,” Bond continued. “Defenders should focus on ensuring all endpoints (PCs/servers/phones/routers/etc…) are patched and up to date, and that antivirus and anti-malware solutions are deployed and up to date as well. All users with access to the network should also avoid making risky clicks or installing untrusted software and always follow password policies.”
Bond said that while not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations if a bad actor is able to get in.
“The most effective method for minimizing sprawl if an attack does occur is by investing in prevention with a zero trust and zero knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access,” he said.
“While it shouldn't be an issue, there is still a ‘long tail’ of systems vulnerable to the Log4J vulnerability that haven't been patched,” said Parkin. “The number of vulnerable systems keeps going down, but it'll still be a while before it reaches zero — either from all of them remaining ones being patched, or the remaining ones being found and exploited.”