
Researchers have spotted a new malicious campaign called as proxyjacking targets the Log4j vulnerability. The adversaries attempt to install the legitimate network segmentation tool called proxyware on unsuspecting victims to resell a target’s bandwidth.
Researchers reports 23,000 unpatched systems are vulnerable to the Log4j bug and reachable via the public internet.
Proxyjacking is similar in concept to cryptojacking. Unlike cryptomining, which can be detected by monitoring a CPU’s usage proxyjacking is hard to detect. One gigabyte of network traffic spread out over a month is likely to go unnoticed.
Proxyjacking could net an attacker an income of about $9.60 a month for 24 hours of activity for one IP address. Deploying proxyware via Log4j could provide more than $220,000 in profit a month, but a more conservative estimate of compromising 100 IPs would produce nearly $1,000 per month, researchers estimate.
The bandwidth is resold to a variety of customers who pay to use an IP address and bandwidth for a variety of things including accessing streaming content that may be blocked in geographic regions.
In the proxyjacking attack it’s been evident that an attacker targeted Kubernetes infrastructure, specifically an unpatched Apache Solr service, to take control of the container and proceed with their activities.
It’s unclear now who is carrying out the proxyjacking attacks and did not outline the scope of the attacks, timeline or specific targets or geographic regions impacted.
As per the Trend Micro statement, non-malicious bandwidth reselling services have guidelines and tools restricting abuse, and the services have been abused in the past but didn’t involve exploiting vulnerable Log4j instances, rather they have been tied to click-fraud campaigns and driving traffic to malvertising sites designed to enrol victims in without their consent. Pay-outs to customers are then routed to attackers.
The Log4j vulnerability represents a new attack vector for bandwidth bandits, according to Sysdig. Adversaries can skip creating a ruse to lure victims and instead programmatically scan the internet for unpatched instances of the Apache Log4j library, which allow for remote code execution attacks.
This research is documented by researchers from Sysdig