- Researchers have found more than 35,000 compromised websites
- The sites transported malicious code which took over the browser window
- Visitors were served Casino’s destination pages
More than 35,000 websites have been compromised in a large hacking campaign that saw the redirected users to malicious pages, or perhaps even served as malware, experts warned.
A report of C / Side cybersecurity researchers, has not detailed who are the attackers, except to say that they could be linked to the exploit of megalayer.
They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers had access, they used it to inject a malicious script to from a list of websites.
Hide from researchers
“Once the script is loaded, it completely diverts the user’s browser window – often redirecting them towards pages promoting a game platform (or casino) in Chinese,” explained the researchers .
The attackers are probably Chinese because they come from the regions where the Mandarin is common, and because the final destination pages present game content under the Kaiyun brand.
The tens of thousands of compromise websites served a few variants of game destination pages, it was explained. Some IPs and regions were served a static page, saying that access is blocked. This, according to the researchers, is to prevent safety researchers from discovering the attack.
C / Side believes that the campaign is linked to the exploit of megalayer, because it is known to distribute malicious software in Chinese, contains the same domain models and the same obscure tactics.
To protect websites against these exploits, C / Side advises teams to audit their source code and block malware, or use firewall rules for Zuizhongjs[.]com,
P11VT3[.]VIP and associated subdomains. They must also monitor newspapers for outgoing unexpected requests to these areas, check unauthorized modifications, restrict scripts to trusted areas only with a well -defined CSP and frequently analyze sites with tools like Publicwww or Urllscan.