Thousands of Websites Hijacked Using Compromised FTP Credentials

Researchers reported that threat actors compromised thousands of websites using legitimate FTP credentials to hijack traffic.

Cybersecurity firm Wiz reported that since early September 2022, threat actors compromised tens of thousands of websites aimed at East Asian audiences to redirect hundreds of thousands of their users to adult-themed content.

The threat actors gained access to the website using legitimate credentials for the FTP endpoint used for managing the web application. In some cases, the passwords used by the attackers were strong and were unlikely to have been included in a dictionary for a brute-force attack. 

“Since early September 2022, an unknown threat actor has successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content.” reads the analysis published by Wiz. “In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites, depending on both random chance and the country in which the user is located.”

Many compromised websites belong to small companies, while some others were operated by large corporations.

Once obtained access to the target website, the attackers modified existing web pages by adding a single line of HTML code, in the form of a script tag referencing a remotely hosted JavaScript script. The analysis of relevant FTP logs for many attacks revealed that the threat actor was connecting to these FTP endpoints from a static IP address (172.81.104[.]64).

The researchers reported that in some cases, once obtained the FTP credentials, the attackers injected the JavaScript code directly into existing files on the compromised server.

The redirection logic implemented in the JavaScript script checks for a set of certain conditions. The technique allows redirecting the visitors to the destination website only if these conditions have been met.

The experts noticed that the redirection process has changed over time. The visitors to compromised websites were initially redirected directly, but starting from February they were redirected through one of four known intermediate servers with URLs masquerading as legitimate websites.

“According to data from SimiliarWeb, the above intermediate servers handle hundreds of thousands of visitors each month – the vast majority originating in East Asia – and some campaigns have been more active than others during different periods of time, which might be related to changes in the aforementioned ‘probability’ field of each campaign.”continues the analysis.h ento

The researchers reported that in some cases, administrators of the compromised websites after becoming aware of the compromise removed the malicious redirection, but it reappeared shortly thereafter. 

“We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP. Although it’s unlikely that the threat actor is using a 0day vulnerability given the apparently low sophistication of the attack, we can’t rule this out as an option,” the analysis concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, redirection campaign)