Beware of proxyware: Connection-sharing services pose risks

Administrators will need to be on the lookout for a new class of bandwidth-sharing apps that could bring malware and cryptomining software to their networks.

The team at Cisco Talos said in a new report on Tuesday that "proxyware" tools are on the rise, and users can fall victim to malware and fraud as their internet connections are co-opted by strangers. The apps, including the likes of Honeygain and Nanowire, allow users to share a portion of their bandwidth with others. This internet access is then resold by the application provider.

This becomes an issue for enterprises as this bandwidth sharing can be done without the knowledge of administrators, creating both security and liability risks.

"This poses new challenges to organizations, especially to those whose internet access is rated as residential," Cisco Talos researchers Edmund Brumaghin and Vitor Ventura wrote in a blog post. "But any organization could be at risk, as there are platforms that also allow data center-based internet sharing."

While rogue employees handing out network access is bad enough, there are also other dangers that come with proxyware apps. The Cisco Talos team noted that in many cases, malware is being bundled with the apps. With covert access to the network by way of proxyware, criminals are able to install cryptocurrency miners and other automated tools.

"This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks," the researchers wrote.

In one case, the proxyware was bundled with cryptocurrency miners and information-stealing malware as a complete kit. Brumaghin and Ventura said that in some instances, threat actors apply patches to the client to eliminate any notifications that would tip off the victim.

"As these platforms became more popular, the adversaries started to leverage trojanized installers, which install the legitimate platform client as well as digital currency miners and information stealers," they said.

In other cases, the proxyware is being covertly installed on the networks of unsuspecting users, without permission. Cisco Talos explained this presents a problem not just for internal security teams, but those outside of the compromised networks as well. "These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks," Brumaghin and Ventura said. "Security analysts could struggle to analyze and/or respond to these attacks and render conventional network defenses that rely on reputation or IP-based blocklists ineffective."

It's unclear how widely used these proxyware apps are, considering that some may be active without knowledge or consent of users. Cisco Talos' blog post, for example, noted that Honeygain claimed its 2021 User Experience and Awareness Survey had 250,000 responses.

"Those would be people who willingly install [the app]," Brumaghin told SearchSecurity.

Cisco Talos warned administrators to be on the lookout for the proxyware tools themselves as well as any malware bundles that might accompany them. The researchers advise setting up logging and alerting mechanisms that can detect when networks are interacting with these apps.

"We believe attackers are highly likely to abuse these proxyware platforms, as they can be used to disguise an attacker's origin more efficiently than Tor, since the exit nodes cannot be cataloged," the researchers said. "For organizations, these platforms pose two essential problems: The abuse of their resources, eventually being blocklisted due to activities they don't even control and it increases organizations' attack surface, potentially creating an initial attack vector directly on the endpoint."