It’s common for threat actors to leverage a variety of new malicious techniques for financial gain. Recently, security experts from Cisco Talos uncovered a new kind of threat vector in which attackers are misusing users’ internet connections to monetize their malware campaigns. Internet-sharing services or Proxyware platforms like Honeygain and Nanowire are being exploited to sell users’ internet bandwidth without their knowledge.
What is Proxyware?
Proxyware is a software that allows enterprises to share a percentage of their (unused) internet bandwidth with others in exchange for nominal fees. For this, users should install the client application to join their network operated by a Proxyware platform provider and sell their internet access to other users.
The researchers stated that threat actors are leveraging multiple hacking techniques to monetize Proxyware platforms. Several malware campaigns and malicious cryptocurrency mining operations are using these platforms to monetize the internet bandwidth of victims.
“As Proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns. Trojanized installers are some of the most common threats taking advantage of public interest in Proxyware to infect victims. These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption,” Cisco Talos said.
The researchers claim to have identified a malware family exploiting the patched version of the Honeygain client and Nanowire client Proxyware applications.
Mitigation
Organizations should be aware of the implications of internet sharing platforms as they pose severe risks to critical corporate networks. Security admins should learn how the Proxyware services work and how they are being abused if not secured.
“This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks. Security analysts could struggle to analyze and/or respond to these attacks and render conventional network defenses that rely on reputation or IP-based blocklists ineffective. Some users or organizations could even eventually become wrapped up in part of a law enforcement investigation if their infrastructure is used for illicit or illegal purposes,” Cisco Talos added.
