A widespread malicious cyber operation has hijacked thousands of websites targeting East Asian audiences to redirect visitors to adult-themed content since early September 2022.
The ongoing campaign involves injecting malicious JavaScript code into the hacked websites, often connecting to the target web server using legitimate FTP credentials previously obtained by the threat actor via an unknown method.
“In many cases, these were highly secure auto-generated FTP credentials that the attacker was somehow able to obtain and exploit for website hijacking,” Wiz said in a report published this month.
The fact that the breached sites — owned by both small firms and multinationals — use different technology stacks and hosting providers has made it difficult to trace a common attack vector, the cloud security company noted.
That said, one of the common denominators between the sites is that a majority of them are either hosted in China or in another country, but are aimed at Chinese users.
Also, the URLs hosting the fake JavaScript code are geofenced to restrict its execution in certain East Asian countries.
There are also indications that the campaign has also targeted Android, with the redirect script directing visitors to gambling websites that encourage them to install an app (APK package name “com.tyc9n1999co.coandroid”).
The identity of the threat actor is currently unknown, and while their exact motives have yet to be identified, it is suspected that their goal is to perform ad fraud and SEO manipulation, or alternatively drive inorganic traffic to these sites.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
Another notable aspect of the attacks is the absence of phishing, web skimming or malware.
“We remain uncertain how the threat actor gained initial access to so many websites, and we have yet to identify any significant commonalities between the affected servers other than their use of FTP,” researchers Amitai Cohen and Barak Sharoni said.
“While it is unlikely that the threat actor is using a 0-day vulnerability given the apparent low sophistication of the attack, we cannot rule this out as an option.”
