Attackers behind an ongoing series of proxyjacking attacks are hacking vulnerable SSH servers exposed online to monetize them through proxyware services that pay to share unused Internet bandwidth.

Like cryptojacking, which allows attackers to use hacked systems to mine cryptocurrency, proxyjacking is a low-effort and highly rewarding tactic of extracting resources from compromised devices.

However, proxyjacking is harder to detect because it only attacks the unused bandwidth of hacked systems and does not affect their overall stability and usability.

While threat actors can also use hacked devices to set up proxies that can help them cover their tracks and hide malicious activity, the cybercriminals behind this campaign were only interested in monetization via commercial proxyware services.

“This is an active campaign in which the attacker leverages SSH for remote access, executing malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Proxy or Honeygain”, said Allen West, security researcher at Akamai.

“This allows the attacker to monetize an unsuspecting victim’s additional bandwidth, with only a fraction of the resource overhead that would be required for cryptomining, with less chance of discovery.”

While investigating this campaign, Akamai found a list containing the IP address that initiated the investigation and at least 16,500 other proxies shared on an online forum.

Proxy services and Docker containers

Akamai first spotted the attacks on June 8 after several SSH connections were made to honeypots managed by the company’s Security Intelligence Response Team (SIRT).

Once connected to one of the vulnerable SSH servers, the attackers deployed a Base64-encoded Bash script that added the hacked systems to the proxy networks of Honeygain or Peer2Profit.

The script also sets up a container by downloading Peer2Profit or Honeygain Docker images and killing bandwidth sharing containers from other rivals.

Akamai also found cryptominers used in cryptojacking attacks, exploits, and hacking tools on the compromised server used to store the malicious script. This suggests that threat actors have either completely pivoted to proxyjacking or used it for additional passive income.

“Proxyjacking has become the newest way for cybercriminals to make money from compromised devices in both an enterprise ecosystem and the consumer ecosystem,” West said.

“This is a stealthier alternative to cryptojacking and has serious implications that may increase the headaches Layer 7 proxy attacks already serve.”

This is just one of many similar campaigns that register compromised systems with proxyware services like Honeygain, Nanowire, Peer2Profit, IPRoyal and others like Cisco Talos And Ahnlab Previously reported.

In April, Sysdig also spotted proxyjackers take advantage of the Log4j vulnerability for initial access, earning them profits of up to $1,000 for every 100 devices added to their proxyware botnet.