430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Discovered thousands of FTP servers infected by malware

Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web. FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates. The Hold Security firm […]

Discovered thousands of FTP servers infected by malware

Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web.

FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates.

The Hold Security firm has recently reported that its experts have discovered thousands of FTP sites infected by malware, the company has found in the underground a list of credentials for nearly 7,800 FTP websites. During their DeepWeb Monitoring activity the experts have found the precious list that includes high-profile targets, a collection of FTP servers poorly protected that were victims of botnets or other infections that stolen the FTP credentials. The New York Times and UNICEF were among the high-profile victims according PC World, both have been notified.

“Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.”

As confirmed by the founder and chief information security officer Alex Holden, it is unclear the scale and the extension of the attacks that compromised the FTP servers, from the analysis of signatures the security experts identified many similarities for the attacks.

“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,”  “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.” Holden said.

ftp servers 2

Holden identified two following different attack vectors.

  • The hackers uploads malicious PHP scripts to the FTP servers, if the FTP servers have some link to a webserver where it is used to upload content the attackers have reached their intent.
  • The hackers uploads HTML files onto the FTP servers, if victims navigate files list on an FTP app or server using their browser they are hijacked to a malicious website controlled by cybercriminals. The attackers use social engineering tricks to deceive victims, the files in fact have innocuous names such as Pinterest, AOL, or something related to the victim’s company.

In the typical attack scenarios, victims are redirected to malicious sites proposing prescription medication, pornography or even website serving ransomware.

“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” “This is probably their end goal because the webserver gives them the ability to access data and the database.” added Holden.

“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”

It is suggested to organization to assess their FTP servers and to improve their security.

Pierluigi Paganini

(Security Affairs –  FTP Servers, cybercrime)