- DataDog reports attackers hijacking NGINX configurations to reroute traffic through malicious infrastructure
- Campaign targets Asian government and education sectors, enabling theft of session tokens, cookies, and credentials
- Hijacked traffic used for phishing, malware injection, ad fraud, and proxying further attacks
Cybercriminals are targeting NGINX servers, rerouting legitimate traffic through their malicious infrastructure, experts have warned.
Security researchers at DataDog Security Labs found the attackers are focused primarily on Asian targets in the government and education industries.
NGINX servers are software systems that sit in front of websites or apps and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.
What to do with the stolen data
In the attack, the unnamed threat actors modify the NGINX configuration files and inject malicious blocks that grab incoming requests. They then rewrite them to include the original URL and forward traffic to domains under their control. As per DataDog, this is a five-stage attack that starts with a configuration injection and ends with data exfiltration.
Since no vulnerability is being abused here, and the victims still end up on the pages they asked for, none is the wiser. Still, cybercriminals are getting away with valuable information that can be used in different ways.
Because headers are preserved, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, that data is especially valuable.
They can also manipulate content, selectively. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.
Then, there is the option of traffic monetization and resale. Clean, real user traffic routed through attacker infrastructure can be sold for ad fraud, SEO manipulation, click-fraud, or used to boost other malicious services, which is a common practice in large-scale proxy ecosystems.
Finally, compromised NGINX servers can be used to proxy attacks against other targets, effectively masking their origins.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
