Under Attack: How Threat Actors are Exploiting SOCKS Proxies – Security Intelligence

thumbnail 8878e9e9eded11eaa0350ef3c27e6b6b ProxyEgg Under Attack: How Threat Actors are Exploiting SOCKS Proxies - Security Intelligence

From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise, but can also be exploited by cybercriminals for nefarious reasons. Take a look at how SOCKS proxies have been manipulated recently by threat actors.

What is a SOCKS Proxy?

SOCKS, which stands for Socket Secure, is an internet protocol that enables the exchange of packets between a client and a server through a proxy server.

According to the Internet Engineering Task Force, the protocol is “designed to provide a framework for client-server applications in both the TCP (transmission control protocol) and UDP (user datagram protocol) domains to conveniently and securely use the services of a network firewall.”

A proxy server functions as an intermediary for requests from a client in an internal network seeking services or resources from the internet. The proxy server has its own public IP address.

There are a number of use cases for a proxy server: to improve network security, carry out actions anonymously, balance network traffic, control employee internet usage and provide faster network speeds by compressing traffic, caching files and stripping ads from websites.

There are currently two versions of SOCKS: SOCKS4 and SOCKS5. SOCKS5 is the current version of the protocol. It supports a variety of authentication methods, as well as User Datagram Protocol (UDP) proxies.

There are several benefits to using the latest version of SOCKS for a proxy server. First, it enables an administrator to access backend services remotely within a cluster hosted in the cloud behind a firewall, without exposing the backend service ports. Second, it does not require anything special as long as there is secure shell (SSH) access to either the Edge node or gateway. Third, a SOCKS5 proxy can route test TCP (TTCP) and UDP traffic through SSH tunneling. Therefore, each service does not require a unique proxy to send requests. And finally, it does not rewrite data packets, so it makes fewer errors and improves performance.

SOCKS5 Proxies Used in Supercomputer Attacks

Unfortunately, a SOCKS proxy can be abused by attackers to carry out various types of nefarious activities.

A recent example involves cryptomining attacks on academic supercomputers used to conduct advanced research. The attackers were able to connect to a SOCKS5 proxy host running a microSOCKS instance on a high port. They did this by exploiting an SSH connection from the anonymous Tor network, according to research by the European Grid Infrastructure Foundation’s computer security incident response team. MicroSOCKS is a multithreaded, small SOCKS5 server.

Normally, researchers use the SSH connection to log in to the supercomputers remotely. The attackers were able to steal the SSH credentials and move between supercomputers using the stolen SSH credentials. The attackers then used the supercomputers to mine cryptocurrency.

The academic institutions running the supercomputers had to shut them down to clear the cryptomining malware, disrupting valuable academic research.

SOCKS5 Exploited by Dark Nexus Botnet

In another recent attack, the Dark Nexus internet of things (IoT) botnet was able to enlist a SOCKS proxy in a scheme offering distributed denial-of-service (DDoS) attacks for hire services. 

The Dark Nexus attackers infect IoT devices and then run a SOCKS5 proxy on a randomly chosen port that connects with the command and control server as part of the registration, based on a Bitdefender analysis.

Bitdefender researchers believe the attackers are selling access to the SOCKS5 proxies on an underground forum. However, they do not have direct evidence to support this belief.

In addition, the Gwmndy botnet abused SOCKS proxy servers. Gwmndy attackers targeted Fiberhome routers and added 200 routers per day to their botnet, stopping after reaching that number, according to 360 Netlab researchers.

Instead of using the botnet for DDoS attacks, cryptojacking, sending spam or stealing data, the Gwmndy botnet operators appeared to use the routers for SSH tunneling proxy nodes and creating a SOCKS5 proxy service locally.

Ransomware Attackers Abuse SOCKS Proxies

Ransomware attackers also use SOCKS proxies. The QNAPCrypt ransomware, which focused on infecting network-attached storage Linux devices, exploited authentication methods used by companies to establish connections through a SOCKS5 proxy, according to Intezer researchers.

Central to the multistage QNAPCrypt ransomware attack is a SOCKS5 proxy. First, the ransomware connects to a SOCKS5 proxy. The proxy requests the victim’s configuration keys to retrieve the ransomware client from an Onion domain. It retrieves an RSA public key, unique Bitcoin wallet and ransom note from the Onion domain. After going through the SOCKS5 proxy again, the ransomware proceeds to encrypt the victim’s systems using the retrieved keys.

While most ransomware attacks target Windows systems, QNAPCrypt joins a growing list of ransomware going after Linux-based systems.

Cloud Snooper and SOCKS Proxies

Cloud Snooper malware uses a SOCKS proxy to bypass firewalls in cloud infrastructure. The malware, a backdoor trojan, can be executed as a command-line tool and as a daemon.

Cloud Snooper opens HTTP or domain name system (DNS) services on an infected system and enables traffic tunneling, operating both as a reverse SOCKS5 proxy server and client, explains SophosLabs researchers. The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation.

In addition, the fileless Nodersok malware exploited a SOCKS proxy to compromise thousands of PCs last year. The malware first installs an HTML application (HTA) on the targeted computer, which runs the HTA files and exploits Excel, JavaScript and PowerShell scripts.

The malware then abuses Node.js and WinDivert to start a SOCKS4 proxy on infected computers. This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client. The client proxies the request to the website and returns the response and the HTML page to the server.

Using SOCKS proxy and other stealth components enables the malware to “fly under the radar” for a while. Therefore, it is best to use strong authentication to lessen the risk that SOCKS proxies are hijacked by attackers.

Source of this news: https://securityintelligence.com/articles/what-is-socks-proxy-exploit/

Related posts:

Analyst says iPhone 13 will make calls even without a cellular signal - Lodi Valley News.com
With the expected launch of the next generation iPhone appears to be coming to an end (Will it be in September?), rumors and speculation are spreading around the world, seeking to anticipate news of...
MT Proxy and Centroid Solutions Become Strategic Partners - Finance Magnates
Two of the forex trading technology providers, MT Proxy and Centroid Solutions, have announced a global strategic partnership to enhance their offerings to the industry.MT Proxy provides custom-buil...
Ranking: Sift Uncovers and Chunks Fraud Ring Swarming Elektronischer geschäftsverkehr Merchants with...
SAN FRANCISCO, Sept. 30, 2021 (GLOBE NEWSWIRE) -- Sift , the leader in Electronic digital Trust & Safety, times released its Q3 2021 Digital Trust & Basic Index, which details the mo...
3xLOGIC announces major upgrade and its management software | Secureness News - SourceSecurity. com
3xLOGIC, your provider of integrated, naturally smart security solutions, has released offered for sale version of its VIGIL videos management suite, version 1415. 0.   VIGIL 's the core 64-...
Will likely ISPs, Websites, and Your Master Tell If You’re Using a VPN? - Lifehacker Australia
VPNs keep your internet service activity hidden, but if a player knows what they’re attempting to, they can tell when you happen to be using one. That might solid alarming, but as long in the for...
Getting started with Burp Proxy's WebSockets background - The Daily Swig
PROFESSIONAL Burp Proxy is a web proxy server that lets you view, intercept, and even modify the transmission between Burp's browser and additionally web servers. The WebSockets history tab ...
Apple’s Moves to Tighten Flow of User Data Leave Advertisers Anxious - The Wall Street Journal
Digital advertisers are studying new Apple Inc. measures that they fear will limit access to data about users, changes industry participants see as an escalation of the tech giant’s crackdown in the ...
IoT Cyberattacks Escalate in 2021, According to Kaspersky - IoT World Today
Few 1 . 51 billion IoT breaches occurred from The month of january to June, most when telnet remote access project. IoT cyberattacks more than doubled year-on-year during the first 50 % of 2...
Contemporary Controls Showcases New and Enhanced Building and Industrial Automation Products at AHR ...
Contemporary Controls Showcases New and Enhanced Building and Industrial Automation Products at AHR 2022 Contemporary Controls is looking forward to the return of the AHR Expo in Las Vegas. Be sure t...
Charting a market whipsaw: Nasdaq, Dow industrials hold key support - MarketWatch
U.S. stocks are firmly higher early Thursday, rising after a solid batch of economic data to punctuate the worst single-day downdraft in about three months. Against this backdrop, the Nasdaq Composi...
Choose a Proxy Server and / or maybe VPN in 2022? guidebook jim o brien
Both VPN and also proxies appear to have become buzzwords in the world of internet security. Few people know the difference or this also actual benefits either with this two options offers, thoug...
High Court Orders Big UK ISPs to Block 19 More Piracy Websites - ISPreview.co.uk
The High Court in London has, following a case raised by the Motion Picture Association of Europe (MPA), issued a new injunction that forces most of the major UK broadband ISPs (e.g. BT, Sky Broadban...
MIRAT's AI based Monitoring Sites Curated To Empower United states & Civil Organizations help Di...
MIRAT offers a  14-day Free Trial  of its monitoring services in order to corporations, government departments, not-for-profit firms,   small and medium-sized enterprises , pu...
Dallas Invents: 134 Patents Granted for Week of Feb. 22 » Dallas Innovates - dallasinnovates.com
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Asustor Drivestor 2 Pro AS3302T - Review 2021 - PCMag India
Designed for use as a personal cloud server, the Asustor Drivestor 2 Pro ($249) is a reasonably priced two-bay NAS that offers multi-gig connectivity and numerous USB ports. It also has a generous ca...
Amazon Prime Video VPN error still troubling users despite being fixed - PiunikaWeb
Amazon Prime Video is among the top streaming services across the globe. It is offered both as part of the Prime subscription and a standalone service. While Prime Video has a pretty decent user base...
Metabolic differentiation and intercellular nurturing underpin bacterial endospore formation - Scien...
Experimental methodsStrain construction. All the strains used in this study are derivatives of B. subtilis PY79. A complete list of strains is provided in table S2. The plasmids and oligonucleotides ...
Xbox Error 0x97DD001E when connecting to Xbox Live on Console or PC - TWCN Tech News
You may encounter the Xbox error code 0x97DD001E when you try connecting to Xbox Live on your Xbox console or Windows 11 or Windows 10 computer. This post is intended to help affected gamers with the...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30