Cybersecurity firm Wiz reported that since early September 2022, threat actors compromised tens of thousands of websites aimed at East Asian audiences to redirect hundreds of thousands of their users to adult-themed content.
The threat actors gained access to the website using legitimate credentials for the FTP endpoint used for managing the web application. In some cases, the passwords used by the attackers were strong and were unlikely to have been included in a dictionary for a brute-force attack.
“Since early September 2022, an unknown threat actor has successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content.” reads the analysis published by Wiz. “In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites, depending on both random chance and the country in which the user is located.”
Many compromised websites belong to small companies, while some others were operated by large corporations.
The experts noticed that the redirection process has changed over time. The visitors to compromised websites were initially redirected directly, but starting from February they were redirected through one of four known intermediate servers with URLs masquerading as legitimate websites.
“According to data from SimiliarWeb, the above intermediate servers handle hundreds of thousands of visitors each month – the vast majority originating in East Asia – and some campaigns have been more active than others during different periods of time, which might be related to changes in the aforementioned ‘probability’ field of each campaign.”continues the analysis.
The researchers reported that in some cases, administrators of the compromised websites after becoming aware of the compromise removed the malicious redirection, but it reappeared shortly thereafter.
“We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP. Although it’s unlikely that the threat actor is using a 0day vulnerability given the apparently low sophistication of the attack, we can’t rule this out as an option,” the analysis concludes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, redirection campaign)