FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates.
The Hold Security firm has recently reported that its experts have discovered thousands of FTP sites infected by malware, the company has found in the underground a list of credentials for nearly 7,800 FTP websites. During their DeepWeb Monitoring activity the experts have found the precious list that includes high-profile targets, a collection of FTP servers poorly protected that were victims of botnets or other infections that stolen the FTP credentials. The New York Times and UNICEF were among the high-profile victims according PC World, both have been notified.
“Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.”
As confirmed by the founder and chief information security officer Alex Holden, it is unclear the scale and the extension of the attacks that compromised the FTP servers, from the analysis of signatures the security experts identified many similarities for the attacks.
“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,” “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.” Holden said.
Holden identified two following different attack vectors.
In the typical attack scenarios, victims are redirected to malicious sites proposing prescription medication, pornography or even website serving ransomware.
“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” “This is probably their end goal because the webserver gives them the ability to access data and the database.” added Holden.
“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”
It is suggested to organization to assess their FTP servers and to improve their security.
(Security Affairs – FTP Servers, cybercrime)
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.