1. Forum
  2. FidoNET
  3. CONSPRCY

  • NGINX servers hijacked in global campaign to redirect traffic

    From Mike Powell@1:2320/105 to All on Friday, February 06, 2026 11:50:54
    NGINX servers hijacked in global campaign to redirect traffic

    By Sead Fadilpa?i? published yesterday

    Redirected traffic can be abused in multiple ways, experts warn

    Cybercriminals are targeting NGINX servers, rerouting legitimate traffic through their malicious infrastructure, experts have warned.

    Security researchers at DataDog Security Labs found the attackers are focused primarily on Asian targets in the government and education industries.

    NGINX servers are software systems that sit in front of websites or apps and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.

    What to do with the stolen data

    In the attack, the unnamed threat actors modify the NGINX configuration files and inject malicious blocks that grab incoming requests. They then rewrite them to include the original URL and forward traffic to domains under their control. As per DataDog, this is a five-stage attack that starts with a configuration injection and ends with data exfiltration.

    Since no vulnerability is being abused here, and the victims still end up on the pages they asked for, none is the wiser. Still, cybercriminals are getting away with valuable information that can be used in different ways. Because headers are preserved, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, that data is especially valuable.

    They can also manipulate content, selectively. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.

    Then, there is the option of traffic monetization and resale. Clean, real user traffic routed through attacker infrastructure can be sold for ad fraud, SEO manipulation, click-fraud, or used to boost other malicious services, which is a common practice in large-scale proxy ecosystems.

    Finally, compromised NGINX servers can be used to proxy attacks against other targets, effectively masking their origins.

    Via BleepingComputer


    https://www.techradar.com/pro/security/nginx-servers-hijacked-in-global-campaig n-to-redirect-traffic

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)