TZUTC: -0500   
   MSGID: 2108.consprcy@1:2320/105 2deb5a2a   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   NGINX servers hijacked in global campaign to redirect traffic   
      
   By Sead Fadilpa?i? published yesterday   
      
   Redirected traffic can be abused in multiple ways, experts warn   
      
   Cybercriminals are targeting NGINX servers, rerouting legitimate traffic   
   through their malicious infrastructure, experts have warned.   
      
   Security researchers at DataDog Security Labs found the attackers are focused   
   primarily on Asian targets in the government and education industries.   
      
   NGINX servers are software systems that sit in front of websites or apps and   
   handle incoming web traffic. They serve content, balance loads, and route   
   requests to the appropriate backend servers.   
      
   What to do with the stolen data   
      
   In the attack, the unnamed threat actors modify the NGINX configuration files   
   and inject malicious blocks that grab incoming requests. They then rewrite them   
   to include the original URL and forward traffic to domains under their control.   
   As per DataDog, this is a five-stage attack that starts with a configuration   
   injection and ends with data exfiltration.   
      
   Since no vulnerability is being abused here, and the victims still end up on   
   the pages they asked for, none is the wiser. Still, cybercriminals are getting   
   away with valuable information that can be used in different ways.  Because   
   headers are preserved, the attacker can collect IP addresses, user agents,   
   referrers, session tokens, cookies, and sometimes credentials or API keys if   
   they appear in requests. On government or .edu sites, that data is especially   
   valuable.   
      
   They can also manipulate content, selectively. Since only certain URL paths are   
   hijacked, the attacker can inject ads, phishing pages, malware downloads, or   
   fake login prompts only when they want, successfully targeting specific users,   
   regions, or time zones.   
      
   Then, there is the option of traffic monetization and resale. Clean, real user   
   traffic routed through attacker infrastructure can be sold for ad fraud, SEO   
   manipulation, click-fraud, or used to boost other malicious services, which is   
   a common practice in large-scale proxy ecosystems.   
      
   Finally, compromised NGINX servers can be used to proxy attacks against other   
   targets, effectively masking their origins.   
      
   Via BleepingComputer   
      
      
   https://www.techradar.com/pro/security/nginx-servers-hijacked-in-global-campaig   
   n-to-redirect-traffic   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426