Hackers using Log4j bug to profit from victim IP addresses through ‘proxyjacking’ scheme

There are now dozens of companies that charge customers a fee to use a different Internet Protocol (IP) address for things like watching YouTube videos that aren’t available in their region, conducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP.

It’s called proxyware, and legitimate businesses sell it all over the globe, including IPRoyal, Honeygain and Peer2Profit. As might be expected, however, the concept also has attracted the attention of cybercriminals, researchers say.

Many of the IP addresses used by those companies are shared in good faith by people who want to make a little money. But hackers are also taking over IP addresses and selling them without authorization, according to researchers from digital security firm Sysdig.

The team uncovered a new trend it calls “proxyjacking,” in which hackers leverage the Log4j vulnerability to gain initial access to a system or device before selling off its IP information to proxyware services.

The idea of taking over IP addresses for criminal purposes isn’t new. In recent years researchers at Cisco Talos Intelligence Group and AhnLab Security have identified attacks that use infected adware to secretly take over devices and use the IP address without a person’s knowledge. Both companies compared it to cryptomining, where hackers surreptitiously mine cryptocurrency on compromised devices.

Proxyjacking, according to Sysdig, may be even more lucrative and easier to get away with because it uses far less computing power and energy.

Sysdig researchers said that while Log4j attacks are still common in general, the way they are used in this instance stood out.

“Instead of the typical cryptojacking or backdoor payload, we witnessed the attacker installing an agent that turned the compromised account into a proxy server, allowing the attacker to sell the IP to a proxyware service and collect the profit. While Pawns and IPRoyal have restrictions regarding the types of IPs they will purchase and share, other proxyware services, such as Peer2Profit, do not,” they said.

“On a broad scale, this campaign could provide lucrative income for the attacker. According to the pawns.app profit scale, 24 hours of activity for one IP address will net $9.60 per month.”

Millions of potential targets

The Log4j vulnerability, discovered by Chinese researchers in December 2021, prompted widespread concern and kicked off a global effort by governments and businesses to address the issue. The bug is still being exploited by a wide range of hackers. Data from security company Censys shows that millions of systems are still running vulnerable versions of Log4j, software used to log information in a wide range of services and devices.

The researchers noted that they have seen other methods of attack in proxyjacking incidents, but the Log4j vulnerability appears to be the most popular.

Vulcan Cyber’s Mike Parkin said the attack highlighted in the report was evidence of Log4j’s “long tail” — noting that it will still be a while until the number of vulnerable systems reaches zero.

In the case identified by Sysdig, the hackers exploited Kubernetes infrastructure. Kubernetes is an open-source container orchestration system for automating software deployment. More specifically, the hackers exploited an unpatched Apache Solr service, in order to take control of the container and proceed with the proxyjacking attack.

Once the attacker installed a version of the IPRoyal Pawns application and began earning money, they took a number of steps to evade detection and achieve persistence.

The researchers outlined two consequences of proxyjacking attacks:

• The financial cost of the attacks may be significant for organizations, considering some cloud companies like Amazon Web Services charge based on the amount of traffic a router gets.

• The attacks do consume some amount of device memory and CPU, which also may cost victims, although not as much as illicit cryptomining would.

“This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications,” they said.

Who’s using what?

The market for IP addresses can be problematic in other ways, the experts warn. Sysdig’s team and other researchers note that if you knowingly sell your internet bandwidth to a proxyware service, it could still be used for malicious or illegal activities.

“An actor can just as easily purchase and use your shared internet in an attack. Many malicious attackers use proxies to obfuscate their command and control activities and identifying information,” the Sysdig researchers explained.