At least 10,000 websites aimed at East Asian audiences have been hijacked in a widespread ongoing redirection campaign involving legitimate FTP credentials that is believed to have commenced last September, SecurityWeek reports.
Attackers have added one line of HTML code referencing a remote JavaScript script to compromised web pages, while some incidents involved direct JavaScript code injection into existing server files through FTP access, according to a Wiz report. Users' browsers were once fingerprinted by the JavaScript code but such activity has stopped since December, while more intermediate servers were observed to be added to the redirection chain last month.
"We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP. Although its unlikely that the threat actor is using a 0day vulnerability given the apparently low sophistication of the attack, we cant rule this out as an option," said Wiz.
Cloud Security, Threat Management
Widespread website hijacking facilitated by stolen FTP credentials
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds