1. Home
  2. Techniques
  3. Enterprise
  4. Resource Hijacking
  5. Bandwidth Hijacking

Resource Hijacking: Bandwidth Hijacking

ID Name
T1496.001 Compute Hijacking
T1496.002 Bandwidth Hijacking
T1496.003 SMS Pumping
T1496.004 Cloud Service Hijacking

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.[1] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[2] Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.[3]

In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.[2]

ID: T1496.002
Sub-technique of:  T1496
Tactic: Impact
Platforms: Containers, IaaS, Linux, Windows, macOS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 25 September 2024
Version Permalink

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may indicate common proxyware functionality.

DS0022 File File Creation

Monitor for common proxyware files on local systems that may indicate compromise and resource usage.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts. Look for connections to/from strange ports.

Network Traffic Content

Monitor network traffic content for strange or unusual patterns.

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009 Process Process Creation

Monitor for common proxyware software process names that may indicate compromise and resource usage.

References

  1. Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.
  2. Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.
  1. Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments. Retrieved September 25, 2024.