From the “this is different” file comes this report by Wiz on thousands of hijacked websites in East Asia which are redirecting visitors to adult-themed sites:
The compromised websites include many owned by small companies and several operated by multinational corporations. They are diverse in terms of their tech stacks and hosting services, making it difficult to pinpoint any specific vulnerability, misconfiguration, or source of leaked credentials this threat actor may be abusing. In several cases, including a honeypot we set up to investigate this activity, the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously.
While we were not able to determine how this threat actor has been gaining initial access to the affected web servers or where they are sourcing their stolen credentials from, we’ve decided to publish our findings regardless, in order to bring more awareness to this ongoing activity. Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more. However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilized by other actors to inflict greater harm.
Rui Ribeiro, CEO and Cofounder of Jscrambler had this comment:
“This attack, which has compromised tens of thousands of websites aimed primarily at East Asian audiences and redirecting them to adult-themed content, highlights an often-overlooked security issue: securing the client-side experience at the moment the visitor is interacting with the website. In this case, the hacker injected malicious code into customer-facing web pages, collected information about the visitor, and hijacked their journey. This one incident underscores how important it is to understand the third-party JavaScript running on your browser and what data it is accessing. Not only is the customer experience tainted, but the compromised websites can face issues around data privacy, loss of revenue and reputation. Companies need visibility and control over the JavaScript that’s loaded into their web pages, whatever the source. Whether it’s a hijacking attack, data skimming or a simple configuration error, we must protect the interaction with each visitor.”
Now I just did a check my corporate website and I have FTP enabled. So I will be turning that off so that I am not a victim of this sort of attack. If you have a website, you might want to do the same thing to avoid being a victim as well.
Like this:
Like Loading...
Related
This entry was posted on March 14, 2023 at 1:31 pm and is filed under Commentary with tags Wiz. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Thousands of hijacked websites in East Asia are redirecting to adult-themed sites
From the “this is different” file comes this report by Wiz on thousands of hijacked websites in East Asia which are redirecting visitors to adult-themed sites:
The compromised websites include many owned by small companies and several operated by multinational corporations. They are diverse in terms of their tech stacks and hosting services, making it difficult to pinpoint any specific vulnerability, misconfiguration, or source of leaked credentials this threat actor may be abusing. In several cases, including a honeypot we set up to investigate this activity, the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously.
While we were not able to determine how this threat actor has been gaining initial access to the affected web servers or where they are sourcing their stolen credentials from, we’ve decided to publish our findings regardless, in order to bring more awareness to this ongoing activity. Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more. However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilized by other actors to inflict greater harm.
Rui Ribeiro, CEO and Cofounder of Jscrambler had this comment:
“This attack, which has compromised tens of thousands of websites aimed primarily at East Asian audiences and redirecting them to adult-themed content, highlights an often-overlooked security issue: securing the client-side experience at the moment the visitor is interacting with the website. In this case, the hacker injected malicious code into customer-facing web pages, collected information about the visitor, and hijacked their journey. This one incident underscores how important it is to understand the third-party JavaScript running on your browser and what data it is accessing. Not only is the customer experience tainted, but the compromised websites can face issues around data privacy, loss of revenue and reputation. Companies need visibility and control over the JavaScript that’s loaded into their web pages, whatever the source. Whether it’s a hijacking attack, data skimming or a simple configuration error, we must protect the interaction with each visitor.”
Now I just did a check my corporate website and I have FTP enabled. So I will be turning that off so that I am not a victim of this sort of attack. If you have a website, you might want to do the same thing to avoid being a victim as well.
Share this:
Like this:
Related
This entry was posted on March 14, 2023 at 1:31 pm and is filed under Commentary with tags Wiz. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.