“In many cases, these were highly secure auto-generated FTP credentials which the attacker was somehow able to acquire and leverage for website hijacking,” Wiz said in a recently-published report.
The cloud security company stated that it has been challenging to identify a common attack vector since the compromised websites—owned by both small businesses and large corporations – use various tech stacks and hosting service providers. After all of that, one of the things websites have in common is that most of them are either hosted in China or are hosted in another nation but are optimized for Chinese users.
Although the threat actor’s identity is currently unknown and their exact objectives have not been established, it is believed that they are attempting to engage in ad fraud and SEO manipulation or, alternatively, send inorganic traffic to these websites. The attacks’ lack of phishing, online skimming, or malware infection is another noteworthy feature.
Researchers Amitai Cohen and Barak Sharoni said they are still unaware of how the threat actor has been getting initial access to so many websites. They have not yet found any notable similarities among the compromised servers besides the fact that they all use FTP. Given the attack’s apparent lack of complexity, it is doubtful that the threat actor is employing a 0-day vulnerability, but they can’t completely rule it out.