The main targets of the new cyberattack were government and educational resources in Asia.
Datadog specialists have discovered an active web traffic interception campaign targeting NGINX servers and hosting control panels, including Baota, a popular service in Asia. Attackers surreptitiously embed malicious rules into server configurations and begin routing user requests through nodes under their control, effectively acting as an intermediary between the website and the visitor.
The attack is linked to a group that previously exploited the React2Shell vulnerability . Now, they're using automated scripts to modify NGINX settings. After implementing these rules, legitimate requests to the site aren't blocked, so the website owner may not notice the problem for a long time. However, some requests are redirected to third-party servers, where traffic can be analyzed, page content can be spoofed, or ads and other fraudulent schemes can be inserted.
The campaign most often targets domain extensions from Asian countries, including .in, .id, .pe, .bd, and .th, as well as websites hosted by educational and government institutions. A special focus is placed on servers running the Chinese Baota control panel, which is widely used by local providers.
Experts explain that the attack mechanism is based on standard NGINX capabilities. Malicious rules are added to address processing blocks and utilize proxying and address rewriting functions. This makes the incoming request appear normal, but actually goes to another server. The attackers also insert service headers to maintain the appearance of a real user and complicate detection.
The discovered tools operate in stages. First, the main script is launched, downloading the remaining components even when standard download utilities are unavailable. Then, individual modules search for NGINX configuration files and the Baota panel, check them for previous injections, and carefully append malicious fragments. To prevent website crashes, a configuration check and a soft reboot of the service are performed after changes. If this fails, a forced restart is performed.
More advanced versions of the scripts can bypass various configuration file locations in Linux and container environments, track already infected domains, and generate a summary map of attacks. The report is then sent to the attackers' command and control server .
Experts advise administrators to check NGINX configuration files for suspicious proxy rules and unexpected address processing blocks, especially if they use hosting control panels. It's also recommended to enable configuration file change monitoring and server reboot logging. This allows for quicker detection of unauthorized changes and the prevention of traffic interception .
Datadog specialists have discovered an active web traffic interception campaign targeting NGINX servers and hosting control panels, including Baota, a popular service in Asia. Attackers surreptitiously embed malicious rules into server configurations and begin routing user requests through nodes under their control, effectively acting as an intermediary between the website and the visitor.
The attack is linked to a group that previously exploited the React2Shell vulnerability . Now, they're using automated scripts to modify NGINX settings. After implementing these rules, legitimate requests to the site aren't blocked, so the website owner may not notice the problem for a long time. However, some requests are redirected to third-party servers, where traffic can be analyzed, page content can be spoofed, or ads and other fraudulent schemes can be inserted.
The campaign most often targets domain extensions from Asian countries, including .in, .id, .pe, .bd, and .th, as well as websites hosted by educational and government institutions. A special focus is placed on servers running the Chinese Baota control panel, which is widely used by local providers.
Experts explain that the attack mechanism is based on standard NGINX capabilities. Malicious rules are added to address processing blocks and utilize proxying and address rewriting functions. This makes the incoming request appear normal, but actually goes to another server. The attackers also insert service headers to maintain the appearance of a real user and complicate detection.
The discovered tools operate in stages. First, the main script is launched, downloading the remaining components even when standard download utilities are unavailable. Then, individual modules search for NGINX configuration files and the Baota panel, check them for previous injections, and carefully append malicious fragments. To prevent website crashes, a configuration check and a soft reboot of the service are performed after changes. If this fails, a forced restart is performed.
More advanced versions of the scripts can bypass various configuration file locations in Linux and container environments, track already infected domains, and generate a summary map of attacks. The report is then sent to the attackers' command and control server .
Experts advise administrators to check NGINX configuration files for suspicious proxy rules and unexpected address processing blocks, especially if they use hosting control panels. It's also recommended to enable configuration file change monitoring and server reboot logging. This allows for quicker detection of unauthorized changes and the prevention of traffic interception .
