Full Report
Since early September 2022, tens of thousands of websites aimed at East Asian audiences have been hacked, redirecting hundreds of thousands of their users to adult-themed content.
Analysis Summary
# Incident Report: Large-Scale Website Hijacking via Stolen FTP Credentials
## Executive Summary
An ongoing, large-scale cyber operation, active since early September 2022, has compromised tens of thousands of websites, primarily targeting East Asian audiences. The threat actor used legitimate, often highly secure, FTP credentials to gain unauthorized access to web servers. The primary impact involved injecting malicious JavaScript to redirect visitors, potentially for financial gain through ad fraud or SEO manipulation. The exact method of credential acquisition remains unknown, hindering definitive attribution or full containment.
## Incident Details
- **Discovery Date:** Early October 2022 (when reports surfaced regarding compromised Azure Web Apps).
- **Incident Date:** Activity began in early September 2022 and is ongoing.
- **Affected Organization:** Tens of thousands of websites, including those operated by small companies and multinational corporations.
- **Sector:** Diverse (Web Hosting/Services, various industries dependent on public-facing websites).
- **Geography:** Primarily targeting East Asian audiences, with compromise activity observed in various hosting environments.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning early September 2022.
- **Vector:** Use of legitimate, previously obtained FTP credentials, sometimes highly complex and auto-generated.
- **Details:** Attackers connected to FTP endpoints, including those for web applications, apparently from a static IP address (`172.81.104[.]64`) in several observed instances. The precise method of how the credentials were sourced or stolen is unknown.
### Lateral Movement
- **Details:** Once access was gained via FTP, the attacker modified existing customer-facing web pages by injecting malicious code (typically a script tag referencing a remote JavaScript file). No evidence of traditional network lateral movement or internal host compromise was reported beyond the immediate web server/application files.
### Data Exfiltration/Impact
- **Details:** The primary impact was visitor redirection. Malicious scripts collected visitor environment information and redirected users to adult-themed or gambling content based on user location and random chance. No direct evidence of data exfiltration (skimming or full data theft) was found, though the scope of potential data collection by the embedded scripts is unclear.
### Detection & Response
- **Details:** Discovery was made by researchers investigating compromised Azure Web Apps in early October 2022. Response actions involve recommending credential rotation, software reinstallation from trusted sources, and restoration to clean versions for affected organizations.
## Attack Methodology
- **Initial Access:** Compromise via legitimate credentials obtained through an unknown means (speculated to be exposure outside the usual brute-force scope).
- **Persistence:** Maintaining access via valid credentials; the injected script acts as persistence for visitor redirection.
- **Privilege Escalation:** Not explicitly detailed, assumed to be at the level of web file management (FTP user permissions).
- **Defense Evasion:** Using legitimate credentials bypasses typical network perimeter defenses; the malicious script loading from remote sources may vary or obfuscate detection.
- **Credential Access:** Unknown vector for obtaining the legitimate FTP credentials (e.g., phishing, supply chain breach, external credential leakage).
- **Discovery:** Limited visibility, but implied reconnaissance to identify targets and potentially collect visitor environmental details.
- **Lateral Movement:** Limited to file system modification on the compromised web servers.
- **Collection:** Visitor environment information collection by the remote JavaScript payloads.
- **Exfiltration:** Visitor redirect traffic (financial motivation inferred).
- **Impact:** Visitor redirection, website defacement, potential ad fraud/SEO manipulation.
## Impact Assessment
- **Financial:** Motivations are suspected to be financial (ad fraud, traffic generation). No specific costs were provided.
- **Data Breach:** Limited confirmed data breach beyond visitor environment information captured by injected scripts. Tens of thousands of websites affected, exposing potentially hundreds of thousands of monthly victims to redirection.
- **Operational:** Equivalent to website defacement, disrupting the intended user experience.
- **Reputational:** Significant negative reputation impact due to redirection to adult/inappropriate content.
## Indicators of Compromise
- **Network indicators (Defanged):** Connections originating from static IP address: `172.81.104[.]64`.
- **File indicators:** Injected HTML `<script>` tags referencing external JavaScript files on compromised web pages. Malicious JavaScript files observed include: `vendor.06c7227b.js`, `min.js`, `market.js`, `ad.tmpl_a9b7.js`.
- **Behavioral indicators:** Unexpected redirection of website visitors, potentially contingent on user location or random factors.
## Response Actions
- **Containment measures:** Advised rotation of FTP credentials using strong, complex combinations; switching from FTP to FTPS or SFTP protocols.
- **Eradication steps:** Reinstalling affected software from trusted, clean sources; removing malicious code injections from web pages.
- **Recovery actions:** Restoring compromised assets to previous clean versions.
## Lessons Learned
- **Key takeaways:** Stolen legitimate credentials, even highly secure ones, present a viable and effective initial access vector for widespread web compromise. Relying solely on complex passwords is insufficient if the credentials themselves are compromised via an unknown vector.
- **What could have been done better:** The difficulty in pinpointing the initial source of credential compromise highlights a gap in visibility across diverse hosting environments.
## Recommendations
- Mandatory adoption of FTPS or SFTP for all web management access.
- Implement strong, unique, and complex usernames and passwords for all FTP/SFTP accounts.
- Regularly audit web page source code (especially customer-facing HTML/JS) for unauthorized external script inclusions.
- Investigate solutions for continuous monitoring of web file integrity across heterogeneous hosting platforms.