Share this article on:
An ongoing malicious cyber campaign has seen thousands of websites hijacked to redirect users to adult-themed websites.
Reports said the campaign was first spotted in early September 2022 and has affected thousands of websites often visited by users in east Asia.
Hackers infect the websites by injecting JavaScript code into the websites that redirect users to other sites showing adult content.
In many cases, hackers use authentic FTP credentials that were collected prior to connecting to the target web server, according to IT security company Wiz, which has been investigating the campaign for some time.
“In several cases … the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously.
“We were not able to determine how this threat actor has been gaining initial access to the affected web servers or where they are sourcing their stolen credentials from,” it said.
The report said that the threat actor “could … be utilising data from password stealers or making use of leaked credentials”. However, even after password rotation, websites are being reinfected.
While the attacker’s intentions are currently unknown, Wiz believes that cyber criminals likely have a financial incentive.
“Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more.
“However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilised by other actors to inflict greater harm.”
Wiz has said that identifying a common attack vector has been difficult as the affected websites make use of different hosting service providers and make use of a variety of tech stacks. However, the majority of affected sites are designed for a Chinese audience, either being hosted there or targeting Chinese users.
In addition, researchers have said that the low sophistication of the attack indicates that it is unlikely the threat group was making use of a zero-day vulnerability but will not rule it out. It has also said that there is a commonality in the breaches that may have been missed.
Wiz has said that there are a number of things that websites can do to prevent being infected, such as rotating FTP credentials, switching to FTPS or SFTP instead of FTP and restoring compromised assets to a state without malicious JavaScript tags/code.
For the full report, head to the Wiz Blog.