Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hundreds of thousands of websites hacked as part of redirection campaign

Thousands of Websites Hijacked Using Compromised FTP Credentials Researchers reported that threat actors compromised thousands of websites using legitimate FTP credentials to hijack traffic. Cybersecurity firm Wiz reported that since early September 2022, threat actors compromised tens of thousands of websites aimed at East Asian audiences to redirect hundreds of thousands of their users to […]

FTP Credentials websites hacked

Thousands of Websites Hijacked Using Compromised FTP Credentials

Researchers reported that threat actors compromised thousands of websites using legitimate FTP credentials to hijack traffic.

Cybersecurity firm Wiz reported that since early September 2022, threat actors compromised tens of thousands of websites aimed at East Asian audiences to redirect hundreds of thousands of their users to adult-themed content.

FTP Credentials websites hacked

The threat actors gained access to the website using legitimate credentials for the FTP endpoint used for managing the web application. In some cases, the passwords used by the attackers were strong and were unlikely to have been included in a dictionary for a brute-force attack. 

“Since early September 2022, an unknown threat actor has successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content.” reads the analysis published by Wiz. “In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites, depending on both random chance and the country in which the user is located.”

Many compromised websites belong to small companies, while some others were operated by large corporations.

Once obtained access to the target website, the attackers modified existing web pages by adding a single line of HTML code, in the form of a script tag referencing a remotely hosted JavaScript script. The analysis of relevant FTP logs for many attacks revealed that the threat actor was connecting to these FTP endpoints from a static IP address (172.81.104[.]64).

The researchers reported that in some cases, once obtained the FTP credentials, the attackers injected the JavaScript code directly into existing files on the compromised server.

The redirection logic implemented in the JavaScript script checks for a set of certain conditions. The technique allows redirecting the visitors to the destination website only if these conditions have been met.

The experts noticed that the redirection process has changed over time. The visitors to compromised websites were initially redirected directly, but starting from February they were redirected through one of four known intermediate servers with URLs masquerading as legitimate websites.

“According to data from SimiliarWeb, the above intermediate servers handle hundreds of thousands of visitors each month – the vast majority originating in East Asia – and some campaigns have been more active than others during different periods of time, which might be related to changes in the aforementioned ‘probability’ field of each campaign.”continues the analysis.h ento

The researchers reported that in some cases, administrators of the compromised websites after becoming aware of the compromise removed the malicious redirection, but it reappeared shortly thereafter. 

“We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP. Although it’s unlikely that the threat actor is using a 0day vulnerability given the apparently low sophistication of the attack, we can’t rule this out as an option,” the analysis concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, redirection campaign)