Cloud Security, Threat Management

Widespread website hijacking facilitated by stolen FTP credentials

At least 10,000 websites aimed at East Asian audiences have been hijacked in a widespread ongoing redirection campaign involving legitimate FTP credentials that is believed to have commenced last September, SecurityWeek reports. Attackers have added one line of HTML code referencing a remote JavaScript script to compromised web pages, while some incidents involved direct JavaScript code injection into existing server files through FTP access, according to a Wiz report. Users' browsers were once fingerprinted by the JavaScript code but such activity has stopped since December, while more intermediate servers were observed to be added to the redirection chain last month. "We remain unsure as to how the threat actor has been gaining initial access to so many websites, and we have yet to identify any significant commonalities between the impacted servers other than their usage of FTP. Although its unlikely that the threat actor is using a 0day vulnerability given the apparently low sophistication of the attack, we cant rule this out as an option," said Wiz.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.