CYFIRMA research first alerted clients on the increase in open proxy usage as the attack method by known nation-sponsored actor groups in Apr 2020. Since then, these threat actors have accelerated their campaigns targeting a wide mix of industries in Japan as well as other markets.
CYFIRMA’s flagship product, DeCYFIR, has been picking up signals indicating these threat actors are scanning, brute forcing and exploiting vulnerability using proxies to hide their original attack sources. Threat actors continue to expand their infrastructure, steal data from internet-facing systems, and build initial footholds into their target organizations with the objective of launching further cyber-espionage. Threat actors use open proxy to achieve their goals more effectively and anonymously.
This out-of-band report deep dives into open proxy usage by state-sponsored actors, attacks scenarios to prepare for, and other recommendations. Here’re the key takeaways.
With Proxychains, hackers can chain numerous proxies and use the TOR browser to execute their actions so that investigators cannot trace the actual IP address. Any type of proxy can be used here, such as socks5, socks4, Http, https. These proxies are compatible with many reconnaissance tools and can utilized as part of an attack campaign.
To understand how hackers access open proxy servers, CYFIRMA conducted additional research on proxy providers. MikroTik network devices are one of the most widely exploited by state actors.
There are three types of open proxies, and hackers would choose according to their attacking vector requirements. These are data centre proxy, residential proxy and rotating proxy.
CYFIRMA researchers also uncovered many proxy providers in the dark web whose tools can be used to exploit routers and devices to gain access to confidential systems and launch their payloads.
CYFIRMA uncovered Chinese, N. Korean and Russian state-sponsored hackers using open proxy servers in their many campaigns. This OOB report describes the profiles of their campaigns, and two samples are illustrated here:
Last Observation: Jun 2020
Campaign (Last Observed): $BLT20
Associated threat actors: Stone Panda (APT10) (Chinese)
Targeted geographies: US, UK, France, Italy, Japan
Targeted industries: Hospitality, Transport
Description: The campaign is suspected to be carried out by Mandarin-speaking hacker groups, believed to active since November 2019. In recent times, hacker groups were observed to be carrying out cyberattacks against a global hotel conglomerate to exfiltrate Personally Identifiable Information (PII).
Last Observation: Jun 2020
Campaign (Last Observed): Mud Nationals (Mud Nationals)
Associated threat actors: Lazarus Group (APT38, Hidden Cobra) (N. Korean)
Targeted geographies: Japan, Others
Targeted industries: Multiple Large Iconic Companies
Description: The campaign is suspected to be carried out by the Lazarus group of North Korea, aligned to the interests of government goals, and for financial gains. The primary intent of this campaign is to carry out corporate espionage to steal intellectual property details of major five technology organizations in Japan and trade them with local Chinese companies, under the guidance of Chinese hackers. The campaign has been active since July 2018 and has seen increased activity recently. Hackers has been targeting the product samples, its chemical composition, design, and architecture. CTI observed hackers’ interest in new cloud technologies, IoT, blockchain, automation systems, and robotics.
This OOB report also includes strategic, management, and tactical recommendations to help companies protect their network and data from cyberattacks using open proxies.