Hackers often use proxy servers to hide their identities and access restricted networks. These servers, when compromised, can be exploited to launch cyberattacks, distribute malware, and conduct illegal activities while masking the true origin of the traffic. Cybersecurity researchers recently identified a case where a ransomware actor exploited the proxy server of a CoinMiner attacker. This proxy server, initially set up by the CoinMiner group to control an infected botnet, became a target for the ransomware actor’s RDP scan attack.
The CoinMiner group had initially breached the server by scanning for MS-SQL administrator accounts and using xp_cmdshell to install a backdoor, downloading CoinMiner malware from a command-and-control server. However, their reverse RDP proxy server, set up using a modified Fast Reverse Proxy tool, was left exposed. This exposure allowed the ransomware actor to gain administrative access through RDP port scanning and brute force attacks. Once inside, the ransomware actor moved laterally, spreading ransomware throughout the CoinMiner botnet and network.
Two hypotheses explain the ransomware actor’s attack on the proxy server. It could have been an accidental target during the ransomware actor’s scan for exposed RDP ports, or it could have been a deliberate attack on previously compromised systems known to have vulnerabilities. The repeated access to the affected system suggests the ransomware actor might have recognized the compromised state of the CoinMiner infrastructure.
This incident highlights an emerging trend where cyber attackers infiltrate rival groups’ infrastructures to enhance their attacks. Such actions complicate attribution and defense efforts, as threat actors increasingly leverage each other’s compromised systems and resources. As these cases become more common, the cybersecurity landscape may see more intentional hacking between different hacker groups, significantly complicating threat management and mitigation strategies.
Reference:
