Full Report
Beginning in early September 2022, an unknown threat actor successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content. In several cases, the threat actor connected to the...
Analysis Summary
# Incident Report: Redirection Roulette Website Compromise
## Executive Summary
Beginning in early September 2022, an unknown threat actor compromised tens of thousands of websites primarily targeting East Asian audiences. The primary impact involved redirecting hundreds of thousands of website users to adult-themed content. The likely access vector involved the use of previously stolen, legitimate FTP credentials.
## Incident Details
- **Discovery Date:** Early September 2022 (Implied, as the campaign began then)
- **Incident Date:** Beginning early September 2022
- **Affected Organization:** Tens of thousands of websites (General Campaign)
- **Sector:** Web Hosting/General Websites
- **Geography:** Primarily East Asian audiences
## Timeline of Events
### Initial Access
- **Date/Time:** Early September 2022
- **Vector:** Previously obtained, legitimate FTP credentials.
- **Details:** The threat actor connected to target web servers using these credentials. The mechanism for stealing the initial FTP credentials is unknown.
### Lateral Movement
- **Details:** Not explicitly detailed in the source, but compromising website content via FTP suggests direct modification of publicly accessible files or configuration settings.
### Data Exfiltration/Impact
- **Details:** The primary impact was website redirection to adult-themed content (Defacement/Content Modification).
### Detection & Response
- **Details:** Wiz reported on or analyzed this activity (Publication date September 1, 2022, though the campaign started concurrently).
- **Response actions taken:** Details of victim response are general (rotate credentials, reinstall software, restore assets).
## Attack Methodology
- **Initial Access:** Compromise via previously stolen, legitimate FTP credentials.
- **Persistence:** Not explicitly detailed, likely achieved by modifying page headers or primary index files.
- **Privilege Escalation:** Not applicable/Unknown (Used existing user-level FTP privileges).
- **Defense Evasion:** Unknown, likely leveraging legitimate credentials for access.
- **Credential Access:** Unknown mechanism by which initial FTP credentials were stolen.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, focusing on web content modification.
- **Collection:** Not the primary goal; focused on impact/defacement.
- **Exfiltration:** Not the primary goal.
- **Impact:** Content redirection/Defacement to adult-themed sites.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Not the primary impact; focus was website content integrity.
- **Operational:** Websites were functionally altered to serve unwanted content.
- **Reputational:** Significant negative impact due to redirection to adult content.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (Requires IP/domain information not provided).
- **File indicators:** Modification of public-facing website files (e.g., index pages).
- **Behavioral indicators:** Successful logins via FTP using compromised credentials leading to content modification.
## Response Actions
- **Containment measures:** Rotate FTP credentials, reinstall software from a trusted source.
- **Eradication steps:** Restore compromised assets to previous clean versions.
- **Recovery actions:** Verify integrity of all publicly accessible web files.
## Lessons Learned
- The compromise highlights that maintaining outdated or weak authentication protocols (like standard FTP) facilitates large-scale attacks, even if the initial credential theft vector is unknown.
- Compromised FTP credentials provide sufficient access for significant web content manipulation.
## Recommendations
- Immediately decommission standard FTP protocols in favor of secured alternatives like FTPS or SFTP.
- Implement mandatory Multi-Factor Authentication (MFA) for all administrative and service accounts, including FTP access, if possible.
- Regularly audit and rotate all service account credentials, especially those used for external connections like FTP.