Sep 3, 2020 Under Attack: How Threat Actors are Exploiting SOCKS Proxies – Security Intelligence

thumbnail 8878e9e9eded11eaa0350ef3c27e6b6b ProxyEgg Sep 3, 2020 Under Attack: How Threat Actors are Exploiting SOCKS Proxies - Security Intelligence

From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise, but can also be exploited by cybercriminals for nefarious reasons. Take a look at how SOCKS proxies have been manipulated recently by threat actors.

What is a SOCKS Proxy?

SOCKS, which stands for Socket Secure, is an internet protocol that enables the exchange of packets between a client and a server through a proxy server.

According to the Internet Engineering Task Force, the protocol is “designed to provide a framework for client-server applications in both the TCP (transmission control protocol) and UDP (user datagram protocol) domains to conveniently and securely use the services of a network firewall.”

A proxy server functions as an intermediary for requests from a client in an internal network seeking services or resources from the internet. The proxy server has its own public IP address.

There are a number of use cases for a proxy server: to improve network security, carry out actions anonymously, balance network traffic, control employee internet usage and provide faster network speeds by compressing traffic, caching files and stripping ads from websites.

There are currently two versions of SOCKS: SOCKS4 and SOCKS5. SOCKS5 is the current version of the protocol. It supports a variety of authentication methods, as well as User Datagram Protocol (UDP) proxies.

There are several benefits to using the latest version of SOCKS for a proxy server. First, it enables an administrator to access backend services remotely within a cluster hosted in the cloud behind a firewall, without exposing the backend service ports. Second, it does not require anything special as long as there is secure shell (SSH) access to either the Edge node or gateway. Third, a SOCKS5 proxy can route test TCP (TTCP) and UDP traffic through SSH tunneling. Therefore, each service does not require a unique proxy to send requests. And finally, it does not rewrite data packets, so it makes fewer errors and improves performance.

SOCKS5 Proxies Used in Supercomputer Attacks

Unfortunately, a SOCKS proxy can be abused by attackers to carry out various types of nefarious activities.

A recent example involves cryptomining attacks on academic supercomputers used to conduct advanced research. The attackers were able to connect to a SOCKS5 proxy host running a microSOCKS instance on a high port. They did this by exploiting an SSH connection from the anonymous Tor network, according to research by the European Grid Infrastructure Foundation’s computer security incident response team. MicroSOCKS is a multithreaded, small SOCKS5 server.

Normally, researchers use the SSH connection to log in to the supercomputers remotely. The attackers were able to steal the SSH credentials and move between supercomputers using the stolen SSH credentials. The attackers then used the supercomputers to mine cryptocurrency.

The academic institutions running the supercomputers had to shut them down to clear the cryptomining malware, disrupting valuable academic research.

SOCKS5 Exploited by Dark Nexus Botnet

In another recent attack, the Dark Nexus internet of things (IoT) botnet was able to enlist a SOCKS proxy in a scheme offering distributed denial-of-service (DDoS) attacks for hire services. 

The Dark Nexus attackers infect IoT devices and then run a SOCKS5 proxy on a randomly chosen port that connects with the command and control server as part of the registration, based on a Bitdefender analysis.

Bitdefender researchers believe the attackers are selling access to the SOCKS5 proxies on an underground forum. However, they do not have direct evidence to support this belief.

In addition, the Gwmndy botnet abused SOCKS proxy servers. Gwmndy attackers targeted Fiberhome routers and added 200 routers per day to their botnet, stopping after reaching that number, according to 360 Netlab researchers.

Instead of using the botnet for DDoS attacks, cryptojacking, sending spam or stealing data, the Gwmndy botnet operators appeared to use the routers for SSH tunneling proxy nodes and creating a SOCKS5 proxy service locally.

Ransomware Attackers Abuse SOCKS Proxies

Ransomware attackers also use SOCKS proxies. The QNAPCrypt ransomware, which focused on infecting network-attached storage Linux devices, exploited authentication methods used by companies to establish connections through a SOCKS5 proxy, according to Intezer researchers.

Central to the multistage QNAPCrypt ransomware attack is a SOCKS5 proxy. First, the ransomware connects to a SOCKS5 proxy. The proxy requests the victim’s configuration keys to retrieve the ransomware client from an Onion domain. It retrieves an RSA public key, unique Bitcoin wallet and ransom note from the Onion domain. After going through the SOCKS5 proxy again, the ransomware proceeds to encrypt the victim’s systems using the retrieved keys.

While most ransomware attacks target Windows systems, QNAPCrypt joins a growing list of ransomware going after Linux-based systems.

Cloud Snooper and SOCKS Proxies

Cloud Snooper malware uses a SOCKS proxy to bypass firewalls in cloud infrastructure. The malware, a backdoor trojan, can be executed as a command-line tool and as a daemon.

Cloud Snooper opens HTTP or domain name system (DNS) services on an infected system and enables traffic tunneling, operating both as a reverse SOCKS5 proxy server and client, explains SophosLabs researchers. The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation.

In addition, the fileless Nodersok malware exploited a SOCKS proxy to compromise thousands of PCs last year. The malware first installs an HTML application (HTA) on the targeted computer, which runs the HTA files and exploits Excel, JavaScript and PowerShell scripts.

The malware then abuses Node.js and WinDivert to start a SOCKS4 proxy on infected computers. This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client. The client proxies the request to the website and returns the response and the HTML page to the server.

Using SOCKS proxy and other stealth components enables the malware to “fly under the radar” for a while. Therefore, it is best to use strong authentication to lessen the risk that SOCKS proxies are hijacked by attackers.

Source of this news: https://securityintelligence.com/articles/what-is-socks-proxy-exploit/

Related posts:

How to set up a proxy server in Edge for Windows 10 - Windows Central
In a time of restrictions and eroding privacy, many people are using a proxy while they browse the internet. A proxy is essentially a secondary hub that your internet traffic is pushed through. Inste...
How to Set Up a Proxy Server on a Windows 11 - BollyInside
This tutorial is about the How to Set Up a Proxy Server on a Windows 11. We will try our best so that you understand this guide. I hope you like this blog How to Set Up a Proxy Server on a Windows 11...
Why Akamai bought Linode - TechCrunch
Earlier this year, Akamai announced its plans to acquire Linode, the well-loved cloud hosting service, to build out its own cloud and edge computing portfolio. The $900 million acquisition closed las...
Sprott Announces Third Quarter 2021 Results - Financial Post
Breadcrumb Trail Links GlobeNewswire Author of the article: GlobeNewswire Article content TORONTO, Nov. 05, 2021 (GLOBE NEWSWIRE) — Sprott Inc. (NYSE/TSX: SII) (“Sprott” or the “Com...
Summer of Football - PlayStation
In order for the Summer of Football app to recognise the trophies, they also need to be synchronised with the PlayStation Network. Navigate to the trophy area on your PS4. When everything is displaye...
"Human beings are cybersecurity's weakest link" - JAXenter
JAXenter: Considering recent security breaches, now more than ever, enterprises need to be focused on making security their first priority. What is the first action that companies should take when re...
Top 8 Ways to Fix Your Connection Was Interrupted Error on Chrome - Guiding Tech
Chrome is one of the popular browsers offering a seamless browsing experience without complicating things. But it’s prone to throwing issues at users. One of the common issues is when Chrome fails to...
Microsoft Exchange server being hacked through ProxyShell exploit - Illinoisnewstoday.com
An attacker has exploited a vulnerability in ProxyShell to aggressively exploit a Microsoft Exchange server and install a backdoor for later access. ProxyShell is the name of an attack that uses thre...
Attackers combine proxy shell divots and attack Microsoft Exchange / Market Research Telecast
Management should update Microsoft Exchange outcome of attacks. After successful disorder, attackers can execute known dangerous code. Security updates have been used since May and July. After...
Knicks Morning News (2022. '04. 08) – KnickerBlogger. Hook - KnickerBlogger
Knicks vs . Wizards: Think about time, where to watch, something the latest – Hoops Build up [hoopshype.com] — Friday, The spring 8, 2022 3: 32: 54 AM Knicks vs . Wizards: Start valuable time...
May well be a slightly fiddly way to re-download P. T. - Eurogamer. net
Having the dream  alive. Ah, P. T. Hideo Kojima's wonderful "playable teaser" was designed to spark a new Still stilly noiseless soundless hushed mute Hill game starring Each Walking D...
How to see where a Netflix title is available - AZ Big Media
Tired of not being able to tell where Netflix titles are available? We know how frustrating that is. It’s downright infuriating when you hear about a new cool show or movie on Netflix, but it won’t s...
Tools Of The (Ad Fraud) Trade - Forbes
Over the years, many ad fraud deniers have come out of the woodwork to attack my research and me personally. They say I’m deliberately overblowing ad fraud for personal gain, and that ad fraud is low...
Capitol, symbol of democracy, off-limits on Independence Day on the list of New York Daily News
“What has become heartbreaking about it is that the Capitol has been forever our symbol of democracy — going through through the Civil War, implies of world wars, through strife of all kinds, ” s...
The introduction to data parsing - Latest Digital Transformation Trends | Cloud News - Wire19
The modern business environment is dominated by the pursuit of public information. With the magic of the internet connecting people all around the world, it is an endless mine of valuable data. Easy ...
Proxy Chrome Extension – Installation Guide - Alpha News Call
A study conducted in 2018 revealed that approximately 26% of global internet users hide behind a virtual private network (VPN) or proxy while on the internet. While the percentage has grown signific...
Russia's Attempts to Ban Twitter, Telegram, and Other Sites Keep Failing - Foreign Policy
On March 16, Russia’s internet and media regulator, Roskomnadzor, threatened to block access to Twitter from within Russia in 30 days if the platform failed to comply with government demands to dele...
'Tropic Trooper' Reemerges to Target Trains Outfits - Threatpost
The governor of your personal data is going to Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the finalizing of personal data can be found in one of the privacy ....

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30