Categories: Cyber CrimeHacking

Discovered thousands of FTP servers infected by malware

Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web.

FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates.

The Hold Security firm has recently reported that its experts have discovered thousands of FTP sites infected by malware, the company has found in the underground a list of credentials for nearly 7,800 FTP websites. During their DeepWeb Monitoring activity the experts have found the precious list that includes high-profile targets, a collection of FTP servers poorly protected that were victims of botnets or other infections that stolen the FTP credentials. The New York Times and UNICEF were among the high-profile victims according PC World, both have been notified.

“Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.”

As confirmed by the founder and chief information security officer Alex Holden, it is unclear the scale and the extension of the attacks that compromised the FTP servers, from the analysis of signatures the security experts identified many similarities for the attacks.

“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,”  “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.” Holden said.

Holden identified two following different attack vectors.

  • The hackers uploads malicious PHP scripts to the FTP servers, if the FTP servers have some link to a webserver where it is used to upload content the attackers have reached their intent.
  • The hackers uploads HTML files onto the FTP servers, if victims navigate files list on an FTP app or server using their browser they are hijacked to a malicious website controlled by cybercriminals. The attackers use social engineering tricks to deceive victims, the files in fact have innocuous names such as Pinterest, AOL, or something related to the victim’s company.

In the typical attack scenarios, victims are redirected to malicious sites proposing prescription medication, pornography or even website serving ransomware.

“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” “This is probably their end goal because the webserver gives them the ability to access data and the database.” added Holden.

“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”

It is suggested to organization to assess their FTP servers and to improve their security.

Pierluigi Paganini

(Security Affairs –  FTP Servers, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Experts observed approximately 120 malicious campaigns using the Rafel RAT

Multiple threat actors are using an open-source Android remote administration tool called Rafel RAT to target Android…

10 mins ago

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

3 hours ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

5 hours ago

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor…

6 hours ago

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

16 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.