Threat Research

Proxyjacking has Entered the Chat

Securonix

Sysdig’s Threat Research Team (TRT) uncovered proxyjacking, where attackers leverage the Log4j vulnerability to gain access to a container and then turn compromised pods into proxy servers to monetize IP addresses via proxyware services such as Pawns.app, IPRoyal, and Peer2Profit. This highlights how proxyware-based monetization can operate within containerized environments and cloud infrastructure.

Keypoints

  • Proxyjacking monetizes victim IPs by running proxyware on compromised devices to sell access to others.
  • Initial access is achieved by exploiting the Log4j vulnerability (CVE-2021-44228) in a container (Apache Solr).
  • The attacker downloads and executes a malicious script from a command-and-control source to enable proxying functionality.
  • Persistence and defense evasion are achieved via crontab-based scheduling and cleanup of traces (cleared history and deleted files).
  • Container supply chain risk is exploited through malicious DockerHub images that bundle proxyware software (e.g., enwaiax/peer2profit, etc.).
  • Financial impact can be significant, with earnings per IP and broad profit potential depending on the scale of compromise.

MITRE Techniques

  • [T1190] Exploitation for Initial Access – The attacker exploited the Log4j vulnerability to gain initial access to a container. [The attacker obtained initial access into a container exploiting the infamous Log4j vulnerability (CVE-2021-44228) present in an Apache Solr application.]
  • [T1105] Ingress Tool Transfer – The attacker downloaded a malicious script from the attacker command and control to the /tmp folder. [‘download a malicious script from the attacker command and control, and place it in the /tmp folder’]
  • [T1059.004] Unix Shell – The attacker executed commands to download and run the malicious script inside the compromised pod. [The attacker’s first execution was downloading an ELF file renamed /tmp/p32, which was then executed with some parameters…]
  • [T1053.005] Cron – The attacker used crontab to schedule the script so it executed every 10 minutes, restarting if needed. [the command was executed every 10 minutes; if something happened… it would automatically restart the execution.]
  • [T1070.003] Clear Linux Command History – The attacker cleared the history as part of defense evasion. [clearing the history and removing the file they dropped in the containers and the temp files]
  • [T1070.004] File Deletion – The attacker removed dropped files and cleaned up temporary artifacts. [removing the file they dropped in the containers and the temp files]
  • [T1195] Supply Chain Compromise – Attackers targeted container images from DockerHub that bundled proxyware software. [One of the threats we saw… was the use of proxyware services inside container images. These are some of the Dockerhub images we uncovered…]

Indicators of Compromise

  • [IP] context – 185.224.128.251, 23.88.73.143, and 51.81.155.182
  • [Filename] context – p32, b, and c
  • [MD5 Hash] context – 6927833415c4879728707574c0849bfc, f10861ea968770effbd61cda573b6ff8, and 1 more hash

Read more: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/