Hackers are increasingly targeting misconfigured Linux systems that are exposed via SSH in the most recent wave of assaults monitored by the AhnLab Security Intelligence Center (ASEC). They do this by using weak credentials to deploy legal proxy software for malevolent reasons.
By leveraging open-source tools such as TinyProxy and Sing-box, adversaries are converting compromised systems into proxy nodes to facilitate anonymity in further cyberattacks or to sell access for criminal profit.
Weak Credential Exploitation
ASEC researchers observed that attackers frequently rely on brute-force techniques targeting SSH services with poorly secured passwords.
Upon successful access, attackers execute automated scripts that install either TinyProxy or Sing-box, both sophisticated yet legitimate proxy solutions, on the host systems.
One notable incident involved the deployment of a malicious Bash script, delivered through familiar utilities such as wget or curl, which downloads and executes from a remote server.
This script detects the underlying package manager apt, yum, or dnf and proceeds to install TinyProxy.
Post-installation, the threat actor manipulates TinyProxy’s configuration files (/etc/tinyproxy/tinyproxy.conf or /etc/tinyproxy.conf), eliminating access rules that restrict external connections and inserting an “Allow 0.0.0.0/0” directive to permit unrestricted world-wide access via port 8888.
Notably, these attacks exhibit surgical precision, focusing solely on the installation and configuration of proxy services without deploying additional malware components or performing further lateral movement.
This streamlined approach underscores a growing trend in abuse of legitimate administrative utilities for post-compromise activities.
Sing-box Deployed
In parallel, ASEC identified similar activity involving Sing-box a versatile, open-source proxy platform capable of supporting advanced protocols like vmess-argo, vless-reality, Hysteria2, and TUICv5.
Attackers were observed running reconnaissance commands to fingerprint the compromised system, followed by the download and execution of Sing-box installation scripts sourced from GitHub.
The infection sequence is typical of automation, with bot operators leveraging both bash piping and direct download-execute chains for rapid deployment.
While Sing-box is widely used for bypassing regional content restrictions such as those imposed on ChatGPT or Netflix, in this context, its installation is illicit and intended to monetize unauthorized proxy services.
The use of open-source tools, as opposed to proprietary malware, demonstrates a strategic shift.
By weaponizing widely recognized utilities, attackers not only streamline their operational overhead but also complicate detection and response efforts, as the presence of these executables on a Linux host may not immediately arouse suspicion.
The surge in attacks abusing legitimate proxy software on Linux SSH servers highlights the critical importance of basic security hygiene.
Administrators are strongly advised to enforce robust, unique passwords for all remote access points and to implement routine password changes.
Timely application of security patches remains imperative in reducing exposure to exploitation vulnerabilities, while network segmentation and firewall rules should be used to restrict unnecessary inbound access to administrative services.
Security solutions should be kept up to date in anticipation of emerging threats and to proactively block known indicators of compromise.
Ultimately, defenders face an evolving threat landscape, where cybercriminals blend legitimate software and precise, automated attack sequences to maximize impact and evade detection.
The security community must remain vigilant, adapting controls and detection strategies as attackers continue to exploit the grey area between authorized and malicious tool usage.
Indicators of Compromise (IOC)
| Indicator Type | Value |
|---|---|
| MD5 Hash | 16d1dfa35d64046128290393512171ce |
| MD5 Hash | 35d79027834a3b6270455f59b54f2e19 |
| URL | https://0x0.st/8VDs.sh |
| URL | https://raw.githubusercontent.com/eooce/sing-box/main/sing-box.sh |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
