A widespread malicious cyber operation has hijacked hundreds of internet sites aimed toward East Asian audiences to redirect guests to adult-themed content material since early September 2022.
The continuing marketing campaign entails injecting malicious JavaScript code to the hacked web sites, usually connecting to the goal internet server utilizing authentic FTP credentials the risk actor beforehand obtained through an unknown methodology.
“In lots of instances, these have been extremely safe auto-generated FTP credentials which the attacker was by some means capable of purchase and leverage for web site hijacking,” Wiz mentioned in a report revealed this month.
The truth that the breached web sites – owned by each small corporations and multinational companies – make the most of totally different tech stacks and internet hosting service suppliers has made it troublesome to hint a standard assault vector, the cloud safety firm famous.
That having mentioned, one of many widespread denominators between the web sites is {that a} majority of them are both hosted in China or hosted in a special nation however are primed for Chinese language customers.
What’s extra, the URLs internet hosting the rogue JavaScript code are geofenced to restrict its execution in sure East Asian nations.
There are additionally indications that the marketing campaign has set its sights on Android as effectively, with the redirection script main guests to playing web sites that urge them to put in an app (APK bundle identify “com.tyc9n1999co.coandroid“).
The identification of the risk actor is unknown as but, and though their exact motives are but to be recognized, it’s suspected that the aim is to hold out advert fraud and search engine optimization manipulation, or alternatively, drive inorganic site visitors to those web sites.
Uncover the Hidden Risks of Third-Social gathering SaaS Apps
Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to study in regards to the sorts of permissions being granted and how you can decrease threat.
One other notable facet of the assaults is the absence of phishing, internet skimming, or malware an infection.
“We stay not sure as to how the risk actor has been gaining preliminary entry to so many web sites, and we’ve got but to determine any important commonalities between the impacted servers apart from their utilization of FTP,” researchers Amitai Cohen and Barak Sharoni mentioned.
“Though it is unlikely that the risk actor is utilizing a 0-day vulnerability given the apparently low sophistication of the assault, we won’t rule this out as an choice.”
