Tech News

More than 16,000 pages of sexual content, education and Government were victims of hackers

A new malicious Traffic Direction System (TDS), Parrot TDS, has been discovered and has infected multiple web servers hosting more than 16,500 sites. Affected websites include adult content pages, personal, university and government sites.

Its appearance is modified to display a phishing page claiming that the user needs to update their browser.

When a user runs the offered browser update file, a remote access tool (RAT) is downloaded, giving attackers full access to victim computers.

“Traffic steering systems serve as a gateway for the delivery of various malicious campaigns through infected sites,” said Jan Rubin, Malware Researcher at Avast, who identified this issue. “ANDRight now, a malicious campaign called FakeUpdate (also known as SocGholish) is being distributed via Parrot TDSbut other malicious activities could be carried out in the future through TDS.”

Researchers Jan Rubin and Pavel Novak believe that attackers are exploiting the web servers of insecure content management systems, such as WordPress and Joomla sites.

Criminals spring into action when accounts with weak credentials are logged in to gain administrator access to servers.

The only thing the sites have in common is that they are WordPress sites and, in some cases, Joomla sites. Therefore, we suspect that they take advantage of weak login credentials. to infect sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. And he added: “The robustness of the Parrot TDS and its great range make it unique.”

Parrot TDS allows attackers to set parameters to only show phishing pages to potential victims that meet certain conditions, taking into account the users’ browser type, cookies, and the website they came from.

What the FakeUpdate campaign is about

FakeUpdate malicious campaign uses JavaScript to change the appearance of the site and display phishing messages claiming that the user needs to update their browser.

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defense to determine whether or not to display the phishing message, among other things.

The scan verifies which antivirus product is on the device. The file being offered as an update is actually a remote access tool called NetSupport Manager.

The cybercriminals behind the campaign have configured the tool in such a way that the user has very little chance of noticing. If the victim executes the file, the attackers gain full access to their computer and they can change the payload delivered to victims at any time.

In addition to the FakeUpdate campaign, the researchers looked at other phishing sites hosted on the infected Parrot TDS sites, although they cannot conclusively link them to that traffic direction system.

How users can avoid being phishing victims:

1. If the site being visited appears different than expected, visitors should leave the page and not download any files or enter any information.

2. Also, updates should be downloaded directly from the browser settings, never through other channels.

How developers can protect servers:

1. Replace all JavaScript and PHP files on the web server with original files.

2. Use the latest version of the content management system or CMS.

3. Use the latest versions of installed plugins.

4. Check if there are tasks running automatically on the web server.

5. Verify and configure secure credentials and use unique credentials for each service.

6. Check the administrator accounts on the server, making sure that each of them belong to developers and have strong passwords.

7. Where applicable, configure second factor authentication for all web server administrator accounts.

8. Use available security plugins.

9. Scan all files on the web server with an antivirus program.



Related Articles

Check Also
Back to top button