- DataDog reports attackers hijacking NGINX configurations to redirect traffic through malicious infrastructure
- The campaign targets Asian government and education sectors, enabling the theft of session tokens, cookies and credentials
- Hijacked traffic used for phishing, malware injection, ad fraud and additional proxy attacks
Cybercriminals are targeting NGINX servers and redirecting legitimate traffic through their malicious infrastructure, experts have warned.
Security researchers at DataDog Security Labs found that the attackers are primarily focused on Asian targets in the government and education industries.
NGINX servers are software systems that sit in front of websites or apps and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.
What to do with the stolen data
In the attack, the unnamed threat actors modify the NGINX configuration files and inject malicious blocks that trap incoming requests. They then rewrite them to include the original URL and forward traffic to domains under their control. According to DataDog, this is a five-step attack starting with configuration injection and ending with data exfiltration.
Since no vulnerability is being exploited here, and victims still end up on the pages they asked for, no one is the wiser. Still, cybercriminals get away with valuable information that can be used in various ways.
Because headers are preserved, the attacker can collect IP addresses, user agents, referrals, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On public or .edu sites, this data is especially valuable.
They can also selectively manipulate content. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.
Then there is the possibility of traffic revenue generation and resale. Pure, genuine user traffic routed through attacker infrastructure can be sold for ad fraud, SEO manipulation, click fraud, or used to boost other malicious services, a common practice in large-scale proxy ecosystems.
Finally, compromised NGINX servers can be used for proxy attacks against other targets, effectively masking their origin.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
