fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft SQL Servers Hacked to Steal Bandwidth for Proxy Services

Microsoft SQL Servers Hacked to Steal Bandwidth for Proxy Services

Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies that are rented through online proxy services.

To steal a device’s bandwidth, the threat actors install software called ‘proxyware’ that allocates a device’s available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research.

Botters also love these proxy services as they gain access to residential IP addresses that have not been blacklisted from online retailers.

In return for sharing their bandwidth, the device’s owner gets a revenue share of the fees charged to customers. For example, the Peer2Profit service shows users making as much as $6,000 per month by installing the company’s software on thousands of devices.

Also Read: Social engineering attacks: 4 Ways businesses and individuals can protect themselves

Top 10 users on the Peer2Profit proxy service
Top 10 users on the Peer2Profit proxy service

According to a new report published today by researchers at South Korean company Ahnlab, new malware campaigns have emerged that install proxyware to earn money from sharing their victim’s network bandwidth.

The attackers receive compensation for the bandwidth by setting their email address for the user, while the victims might only notice some connectivity slowdowns and hiccups.

Sneaking proxy clients on devices

Ahnlab observed the installation of proxyware software for services, such as Peer2Profit and IPRoyal, via adware bundles and other malware strains.

The malware checks if the proxy client is running on the host, and it can use the “p2p_start()” function to launch it if it’s deactivated.

Creating and running Peer2Profit SDK
Creating and running Peer2Profit SDK (ASEC)

In the case of IPRoyal’s Pawns, the malware prefers to install the CLI version of the client instead of the GUI one, as the goal is to have the process run stealthily in the background.

Also Read: How can businesses protect their enterprise from Business Email Compromise (BEC) attacks?

Installing and configuring Pawns CLI
Installing and configuring Pawns CLI (ASEC)

In more recent observations, attackers used Pawns in DLL form and provided their emails and passwords in encoded string form, launching it with the functions “Initialize()” and “startMainRoutine().”

Pawns launch routine
Pawns launch routine (ASEC)

Once the proxyware is installed on a device, the software adds it as an available proxy that remote users can use for whatever task they want on the Internet.

Unfortunately, this also means that other threat actors can use these proxies for illegal activities without the victim being aware.

Infecting MS-SQL servers too

According to Ahnlab’s report, malware operators using this scheme to generate revenue also target vulnerable MS-SQL servers to installPeer2Profit clients.

This has been going on since early June 2022, with most logs retrieved from infected systems revealing the existence of a UPX-packed database file named “sdk.mdf.”

SQL process installing Peer2Profit
SQL process installing Peer2Profit (ASEC)

Among the more common threats for Microsoft SQL servers are cryptocurrency coin miners that perform cryptojacking. There are also plenty of instances where the threat actor uses the server as a pivoting point into the network via Cobalt Strike beacons

The reason behind using proxyware clients is likely an increased chance of remaining undetected for extended periods, which translates into more significant profits. It is unclear how much money actors generate via this method, though.

Furthermore, Microsoft SQL servers are usually located in corporate networks or data centers with abundant Internet bandwidth that proxy services can sell for illegal purposes.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us