9:30 ET, 21 February 2014

Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web.

FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates.

The Hold Security firm has recently reported that its experts have discovered thousands of FTP sites infected by malware, the company has found in the underground a list of credentials for nearly 7,800 FTP websites. During their DeepWeb Monitoring activity the experts have found the precious list that includes high-profile targets, a collection of FTP servers poorly protected that were victims of botnets or other infections that stolen the FTP credentials. The New York Times and UNICEF were among the high-profile victims according PC World, both have been notified.

“Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.”

As confirmed by the founder and chief information security officer Alex Holden, it is unclear the scale and the extension of the attacks that compromised the FTP servers, from the analysis of signatures the security experts identified many similarities for the attacks.

“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,”  “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.” Holden said.

f1

Holden identified two following different attack vectors.

  • The hackers uploads malicious PHP scripts to the FTP servers, if the FTP servers have some link to a webserver where it is used to upload content the attackers have reached their intent.
  • The hackers uploads HTML files onto the FTP servers, if victims navigate files list on an FTP app or server using their browser they are hijacked to a malicious website controlled by cybercriminals. The attackers use social engineering tricks to deceive victims, the files in fact have innocuous names such as Pinterest, AOL, or something related to the victim’s company.

In the typical attack scenarios, victims are redirected to malicious sites proposing prescription medication, pornography or even website serving ransomware.

“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” “This is probably their end goal because the webserver gives them the ability to access data and the database.” added Holden.

“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”

It is suggested to organization to assess their FTP servers and to improve their security.

Pierluigi Paganini

(Editor-In-Chief, CDM)

 

rsa-logo