Hold Security revealed that they have uncovered a long list of credentials for around 7,800 FTP servers being moved in cybercrime forums within the Deep Web.
FTP servers are essential for large malware campaigns, and updating their executable via the FTP server.
In this instance, Hold Security found that hackers planted malicious PHP scripts (shells) and viruses in numerous web directories expecting that these directories map to web servers of the victim companies to get control of the web services. In addition to the PHP scripts, they also uploaded HTML files with smooth re-directs to malicious sites.
As verified with the founder of the firm, Alex Holden, it’s not yet determined the size of the attacks that affected the FTP servers, but in the analysis of signatures the security experts discovered many similarities between each attack.
“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,” “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.” Holden mentioned.
Holden also urges companies to look over their FTP setup and insure that no third party has had access, and “end-users should be more vigilant about the embedded links they follow even to legitimate sites.”