Hackers are targeting FTP upload sites with the hopes of redirecting victims to spam or even infecting webservers that rely on FTP applications for updates.
Hold Security reported yesterday it had secured a list of credentials for close to 7,800 FTP sites being circulated in cybercrime forums. The list includes high-profile targets all the way down to individual FTP servers that are exposed to the Internet and guarded only by default credentials, or access codes that have been stolen by botnets or other infections.
Founder and chief information security officer Alex Holden said he is unsure of the scale and damage of these attacks, or who might be behind them. A number of potential victims have been notified by Hold Security, Holden said.
“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,” Holden said. “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.”
Holden said there are two different attack vectors. One, hackers are uploading malicious PHP scripts to the FTP servers they have access to hoping the FTP server has some link to a webserver where it is used to upload content.
“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” Holden said. “This is probably their end goal because the webserver gives them the ability to access data and the database.” Holden said the attackers have had limited success so far finding this type of connection.
The second exploit observed in these attacks are the uploading of HTML files onto the FTP server, which if opened via a browser, which is often the default client for looking at files on an FTP app or server, can redirect the victim to a hacker-controlled site. The files, Holden said, are named something innocuous, such as Pinterest, AOL, or something related to the victim’s company that would entice the victim to open the file. Holden said some victims have been redirected to malicious sites peddling prescription medication, pornography or even ransomware sites.
“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”
The list of FTP credentials has been compiled over some time and is being peddled recently on underground forums. PC World reported that the New York Times and UNICEF were among the high-profile victims; both have been notified and told the publication they were in the process of hardening their FTP servers.
Some others, worldwide, were also compromised, Holden said, but they are still in the process of notifying them. Holden said there were no major U.S. banks on the list, likely because FTP is not a secure means of file exchange and not used by financial organizations. He did say a number of media companies were on the list, however; companies in that industry are more likely to exchange graphics files over FTP.
Holden urges organizations to inspect their FTP deployments, scan them with antimalware agents and check for open deployments on the Internet.