Proxies are smart tools people use to access restricted content and browse the internet privately.
But an increase in open proxy usage is the reason behind cyberattacks by known sponsored actor groups in Apr 2020.
This has only escalated as they continue to target many industries in Japan and markets around the world.
The DeCYFIR, which is the flagship product from CYFIRMA’s is doing an excellent job in picking these actors who are using proxies to hide their identity.
They are consistently exploiting the proxies to remain safe in the shadow. So, what do they aim to achieve from these attacks?
If you think about it, they can steal a lot of delicate information available on the internet like infrastructure plans, company data and plan their initial attack based on what they learn.
How do they remain undetected?
They use proxies to hide their IP address and utilise rotating IPs to fool the detectors.
In this article, we’ll discuss the attacks by these actors and look into two real scenarios. Let’s get started.
Let’s learn how these actors use proxies.
The attackers take advantage of open proxies that are readily available on the internet. Subsequently, they look to find exposed servers like ElasticSearch or MongoDB.
Then, they kick-start their attack by causing DDOS.
You can also expect them to embark on crypto mining.
This has become serious because of the Pandemic.
COVID-19 took the world by storm and forced businesses to adopt a remote model where they take their shop online and employees work from home.
In the real world, few businesses understand the importance of cybersecurity and implement measures to stop it.
But there are many businesses who lack this knowledge and end up getting violated by the actors.
Another fact that helps the attackers is that businesses use home networks and poor VPN services, which are easy to break In.
Proxychains, Proxy providers
What do the attackers do behind the scenes?
They utilise proxy chains, which help them chain many proxies simultaneously.
Then, they use the TOR browser to execute their plans, while remaining undetected from the authorities.
They hide actual IP addresses and use proxies like socks5, socks4, HTTPs and http. So, why these proxies?
It’s because these are some common proxies used by businesses, and you can easily use them with many reconnaissance tools.
MikroTik network is one example of a business exploited by the attackers.
And they are smart because they carefully choose which type of proxy they need to target depending on their goals.
For instance, they may go with data center proxies, residential proxies or rotating proxies.
This doesn’t stop here because there are many proxy providers available on the dark web who also provide tools to exploit confidential info of vulnerable businesses.
Recent Open Proxy Usage by Nation- sponsored Threat Actors.
A recent survey found out that there are many state-sponsored hackers who are using open proxy servers.
These include Chinese, N. Korean and Russian-sponsored attackers.
Observed in June 2020 under the campaign $BLT20, actors Stone Panda sponsored by the Chinese state targeted locations in the US, UK, Italy, Japan, and France.
In this campaign, one Mandarin-speaking group carried out a series of cyberattacks against a hotel conglomerate to exfiltrate Personally Identifiable Information (PII).
A similar case happened under the campaign Mud Nationals by the Lazarus Group sponsored by the N. Korean state.
They targeted locations in Japan.
This group executed the campaign whose goals aligned with that of the government.
They wanted to steal intellectual property details of major five technology organisations in Japan.
What’s interesting is that the campaign is still active, and the attackers are constantly observing product samples and designs.
There you have it. Now, you know how attackers are using open proxies to target established organisations and businesses to exploit their data and trade it with anyone willing to pay the sum.