can steal a lot of sensitive information available on the internet, such as infrastructure plans, company data , and plan their initial attack based on the information they have gained. How do they manage to stay undetected? They use proxies to hide their IP address and use rotating IP addresses to fool detectors. In this article, we will discuss the attacks of these entities and consider two real-life scenarios. Let's get started.
Contents hide
1 Reference information
2 Proxy chains, proxy providers
3 Conclusion
3.1 Related publications:
Reference information
Let’s find out how these actors use proxy servers. Attackers use open proxy servers that are easily accessible on the internet. Then they look for open servers like ElasticSearch or MongoDB. Then they start their attack by causing DDOS . You can also expect them to start mining cryptocurrency. This issue has become serious due to the pandemic. COVID-19 has taken over the world and forced businesses to adopt a remote model where they move their store online and employees work from home. In the real world, few businesses understand the importance of cybersecurity and take measures to prevent it. But there are many businesses that lack this knowledge and end up falling prey to attackers. Another fact that helps attackers is that businesses use home networks and bad VPN services that are easy to hack.
Proxy chains, proxy providers
What do the attackers do behind the scenes? They use proxy chains that help them chain together many proxies at once. They then use the TOR browser to carry out their plans without being detected by the authorities. They hide the real IP addresses and use proxies like socks5, socks4, HTTPs , and http . Why these proxies? Because these are some common proxies used by businesses and you can easily use them with many reconnaissance tools. The MikroTik network is one example of a business being exploited by attackers. And they are smart because they carefully choose the type of proxy depending on their goals. For example, they can use data center proxies, residential proxies, or rotating proxies. It doesn’t end there because there are many proxy providers on the dark web that also provide tools to exploit the sensitive information of vulnerable businesses.
]
A recent study has shown that there are multiple state-sponsored hackers who use open proxies. These include Chinese, Korean, and Russian attackers. Observed in June 2020 as part of the $BLT20 campaign, Chinese state-sponsored Stone Panda actors targeted locations in the US, UK, Italy, Japan, and France. As part of this campaign, one Mandarin-speaking group carried out a series of cyberattacks on a hotel conglomerate with the aim of leaking personally identifiable information ( PII ). A similar case occurred as part of the Mud Nationals campaign by the N. Korean state-sponsored Lazarus group . They targeted locations in Japan. This group carried out a campaign whose goals coincided with those of the government. They wanted to steal intellectual property data from five major tech organizations in Japan. What is interesting is that the campaign is still active, with the attackers constantly monitoring product samples and designs.
Conclusion
That's it. Now you know how attackers use open proxies to attack well-known organizations and businesses in order to exploit their da
