Cloud security startup Wiz has recently identified a widespread redirection campaign that has resulted in the compromise of at least 10,000 websites targeting East Asian audiences. The attackers used legitimate auto-generated FTP credentials to gain access to the websites, and injected a single line of HTML code in the form of a script tag that would download and execute a JavaScript script on the visitor’s machine.
The goal of the campaign is unknown, but could be ad fraud, SEO manipulation, or something else. The attackers have also been observed making changes to the JavaScript redirection code, and have added intermediate servers to the redirection chain. Additionally, the attackers have been fingerprinting victim’s browsers and sending the collected information to attacker-controlled infrastructure.
The cybersecurity startup Wiz has identified numerous servers associated with the campaign, but it is still unclear how the attackers have been initially gaining access to so many websites. While it is unlikely that the threat actor is using a 0day vulnerability, this cannot be ruled out.
Overall, the redirection campaign highlights the importance of strong access control and secure credentials for websites, as well as the need for website owners to regularly monitor for malicious activity.
Key Points:
• A redirection campaign has compromised at least 10,000 websites targeting East Asian audiences.
• Attackers used legitimate auto-generated FTP credentials to gain access to the websites.
• The goal of the campaign is unknown, but could be ad fraud, SEO manipulation, or something else.
• Attackers have been observed making changes to the JavaScript redirection code and sending collected information to attacker-controlled infrastructure.
• Strong access control and secure credentials are essential to prevent such campaigns.