Since early September 2022, a widespread malicious cyberattack has hijacked thousands of websites targeting an East Asian audience, redirecting visitors to adult-themed content.
Ongoing campaigns require the injection of malicious JavaScript code into hacked websites, often by attackers using legitimate FTP credentials previously obtained through unknown means to reach out to their targets. Connect to your web server.
“In many cases, these were highly secure auto-generated FTP credentials that attackers could somehow obtain and use to hijack websites,” Wiz said in a report published earlier this month. ing.
The fact that compromised websites owned by both small businesses and multinationals utilize a variety of technology stacks and hosting service providers makes it difficult to track common attack vectors. , notes the cloud security firm.
That said, one commonality between websites is that most of them are either hosted in China, or hosted in another country, but prepared for Chinese users. is.
Additionally, URLs hosting malicious JavaScript code are geofenced to restrict execution in certain East Asian countries.
There are also indications that the campaign has its sights set on Android as well, with a redirect script directing visitors to a gambling website and prompting them to install an app (APK package name ‘com.tyc9n1999co.coandroid’). .
The identity of the threat actor is still unknown, and its exact motives have yet to be determined, but its purpose is to perform ad fraud, SEO manipulation, or to drive inorganic traffic to these websites. suspected to be.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Another notable aspect of the attack is the absence of phishing, web skimming, or malware infections.
Researchers Amitai Cohen and Barak Sharoni said, “It’s unclear how the attackers gained initial access to so many websites, and apart from using FTP, the number of affected We have not yet identified any significant commonalities between the servers.”
“Given the apparent low sophistication of the attack, it is unlikely that threat actors are using zero-day vulnerabilities, but we cannot rule this out as an option.”
