Under Attack: How Threat Actors are Exploiting SOCKS Proxies 4 min read – Security Intelligence

thumbnail 8878e9e9eded11eaa0350ef3c27e6b6b ProxyEgg Under Attack: How Threat Actors are Exploiting SOCKS Proxies 4 min read - Security Intelligence

From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise, but can also be exploited by cybercriminals for nefarious reasons. Take a look at how SOCKS proxies have been manipulated recently by threat actors.

What is a SOCKS Proxy?

SOCKS, which stands for Socket Secure, is an internet protocol that enables the exchange of packets between a client and a server through a proxy server.

According to the Internet Engineering Task Force, the protocol is “designed to provide a framework for client-server applications in both the TCP (transmission control protocol) and UDP (user datagram protocol) domains to conveniently and securely use the services of a network firewall.”

A proxy server functions as an intermediary for requests from a client in an internal network seeking services or resources from the internet. The proxy server has its own public IP address.

There are a number of use cases for a proxy server: to improve network security, carry out actions anonymously, balance network traffic, control employee internet usage and provide faster network speeds by compressing traffic, caching files and stripping ads from websites.

There are currently two versions of SOCKS: SOCKS4 and SOCKS5. SOCKS5 is the current version of the protocol. It supports a variety of authentication methods, as well as User Datagram Protocol (UDP) proxies.

There are several benefits to using the latest version of SOCKS for a proxy server. First, it enables an administrator to access backend services remotely within a cluster hosted in the cloud behind a firewall, without exposing the backend service ports. Second, it does not require anything special as long as there is secure shell (SSH) access to either the Edge node or gateway. Third, a SOCKS5 proxy can route test TCP (TTCP) and UDP traffic through SSH tunneling. Therefore, each service does not require a unique proxy to send requests. And finally, it does not rewrite data packets, so it makes fewer errors and improves performance.

SOCKS5 Proxies Used in Supercomputer Attacks

Unfortunately, a SOCKS proxy can be abused by attackers to carry out various types of nefarious activities.

A recent example involves cryptomining attacks on academic supercomputers used to conduct advanced research. The attackers were able to connect to a SOCKS5 proxy host running a microSOCKS instance on a high port. They did this by exploiting an SSH connection from the anonymous Tor network, according to research by the European Grid Infrastructure Foundation’s computer security incident response team. MicroSOCKS is a multithreaded, small SOCKS5 server.

Normally, researchers use the SSH connection to log in to the supercomputers remotely. The attackers were able to steal the SSH credentials and move between supercomputers using the stolen SSH credentials. The attackers then used the supercomputers to mine cryptocurrency.

The academic institutions running the supercomputers had to shut them down to clear the cryptomining malware, disrupting valuable academic research.

SOCKS5 Exploited by Dark Nexus Botnet

In another recent attack, the Dark Nexus internet of things (IoT) botnet was able to enlist a SOCKS proxy in a scheme offering distributed denial-of-service (DDoS) attacks for hire services. 

The Dark Nexus attackers infect IoT devices and then run a SOCKS5 proxy on a randomly chosen port that connects with the command and control server as part of the registration, based on a Bitdefender analysis.

Bitdefender researchers believe the attackers are selling access to the SOCKS5 proxies on an underground forum. However, they do not have direct evidence to support this belief.

In addition, the Gwmndy botnet abused SOCKS proxy servers. Gwmndy attackers targeted Fiberhome routers and added 200 routers per day to their botnet, stopping after reaching that number, according to 360 Netlab researchers.

Instead of using the botnet for DDoS attacks, cryptojacking, sending spam or stealing data, the Gwmndy botnet operators appeared to use the routers for SSH tunneling proxy nodes and creating a SOCKS5 proxy service locally.

Ransomware Attackers Abuse SOCKS Proxies

Ransomware attackers also use SOCKS proxies. The QNAPCrypt ransomware, which focused on infecting network-attached storage Linux devices, exploited authentication methods used by companies to establish connections through a SOCKS5 proxy, according to Intezer researchers.

Central to the multistage QNAPCrypt ransomware attack is a SOCKS5 proxy. First, the ransomware connects to a SOCKS5 proxy. The proxy requests the victim’s configuration keys to retrieve the ransomware client from an Onion domain. It retrieves an RSA public key, unique Bitcoin wallet and ransom note from the Onion domain. After going through the SOCKS5 proxy again, the ransomware proceeds to encrypt the victim’s systems using the retrieved keys.

While most ransomware attacks target Windows systems, QNAPCrypt joins a growing list of ransomware going after Linux-based systems.

Cloud Snooper and SOCKS Proxies

Cloud Snooper malware uses a SOCKS proxy to bypass firewalls in cloud infrastructure. The malware, a backdoor trojan, can be executed as a command-line tool and as a daemon.

Cloud Snooper opens HTTP or domain name system (DNS) services on an infected system and enables traffic tunneling, operating both as a reverse SOCKS5 proxy server and client, explains SophosLabs researchers. The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation.

In addition, the fileless Nodersok malware exploited a SOCKS proxy to compromise thousands of PCs last year. The malware first installs an HTML application (HTA) on the targeted computer, which runs the HTA files and exploits Excel, JavaScript and PowerShell scripts.

The malware then abuses Node.js and WinDivert to start a SOCKS4 proxy on infected computers. This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client. The client proxies the request to the website and returns the response and the HTML page to the server.

Using SOCKS proxy and other stealth components enables the malware to “fly under the radar” for a while. Therefore, it is best to use strong authentication to lessen the risk that SOCKS proxies are hijacked by attackers.

Source of this news: https://securityintelligence.com/articles/what-is-socks-proxy-exploit/

Related posts:

What Happened on Day 36 of Russia’s Invasion of Ukraine - The New York Times
KRAKOW, Poland — Facing deeper isolation by the day over the Ukraine war, Russia seemed to slightly recalibrate its stance Thursday, allowing greater humanitarian access to the devastated port city o...
Ideas on how to fix 502 Proxy Desliz or Bad Gateway simply just Game Revolution
502 Have Gateway since 502 Lousy Proxy complications are common issues a user would definitely encounter when trying to go to a website. Unfortunately, the cause to do this error isn’t always de...
Migrate Lotus Notes to Office 365 in few steps - Best in Australia
Microsoft 365 aka Office 365 is getting the attention of many IT organizations due to the new advanced features and benefits it offers. It is continuously attracting small and large scale organizatio...
New differential fuzzing tool reveals novel HTTP request smuggling techniques - The Daily Swig
White paper systematically examines the attack while showcasing a ‘laundry list’ of new flaws Researchers have released a new fuzzing tool used for finding novel HTTP request smuggling techni...
Chinese APT group IronHusky exploits zero-day Windows Server privilege escalation - Reseller News
Credit: Dreamstime One of the vulnerabilities patched by Microsoft has been exploited by a Chinese cyber-espionage group since at the least August. The attack campaigns targeted IT companie...
New SideWalk Backdoor Targets U.S-based Computer Retail Business - The Hacker News
A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk as part of a recent campaign undertaken by a Chinese advanced persistent threat group p...
What Is a Network Policy Server? | Purpose of an NPS Server - Server Watch
For network access and policy management capabilities, Microsoft’s RADIUS server and proxy tool is the Network Policy Server (NPS). NPS offers authentication, authorization, and accounting (AAA), ena...
The Top 3 Criteria for Selecting a Trustworthy Proxy Service Provider - WinBuzzer
Whether you are running a business that needs to boost security online or are an individual needing more control over your online activities, a functional and dependable proxy server is critical. S...
Alta Turismo 7 Appears from Nvidia GeForce Now Outflow (Updated) - GTPlanet
Algorithm change: Nvidia contains responded to the leak, exclaiming that the list of titles to your platform is “used just for internal tracking and testing”, and that the inclusion of a lot ...
Scientists Warn of FontOnLake Rootkit Malware Targeting Linux Components - The Hacker Story
Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to i...
TCell by Rapid7 Supports all the Newly Released. NET 6. 0 - Marketscreener. com
We're excited to share which experts state we've coordinated our more recent. NET and. NET Core agent releases with the creative. NET 6. 0 give off from Microsoft. What is tCell? Since the ...
High Court Orders Big UK ISPs to Block 19 More Piracy Websites - ISPreview.co.uk
The High Court in London has, following a case raised by the Motion Picture Association of Europe (MPA), issued a new injunction that forces most of the major UK broadband ISPs (e.g. BT, Sky Broadban...
Opinion | Why spoof-proofing your premium, live sports content matters - SportsPro Media
James Clark, GeoComply’s director of global sales, on how the next generation of content protection, in particular VPN and proxy detection, can help rights holders protect high-value, territorially-r...
What Does iCloud Private Relay Is Active Mean on iPhone - Guiding Tech
With add-ons like Hide My Email and iCloud Private Relay in iOS 15, Apple is doubling down on its privacy stance for users. Following the iOS 15 update, you might notice iCloud Private Relay is activ...
Online Nirvana Creates New Metadata Automation Platform for Experienced Interplay - Sports Media pla...
Story Highlights Digital Nirvana has publicized MetadataIQ, a new metadata mécanisation tool for content firms using the Avid media operating system. A secure and global software-as-a-service (S...
Individuals Demonstrate New Way to Locate MITM Phishing Kits documented in Wild - Internet
No fewer than 1, 220 Man-in-the-Middle (MitM) phishing websites have been came across as targeting popular around the services like Instagram, That is definitely, PayPal, Apple, Twitter, and th...
Reserve: Download Torrents Fast Offering IDM - BollyInside
This tutorial can be the Guide: Download Torrents Fast With IDM. This article will try our best so that you understand this kit. I hope you like this blog Guide: Save Torrents Fast With IDM . ...
SafeIP Hides Your IP Address to suit Private Browsing, Blocked Papers - Lifehacker
Windows: Take a look at access to streaming media labeled by your location, web sites regarding display differently depending on in which you are supposed to, or just a little privacy, ...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30