“. the activity patterns and infrastructure usage align with known react2shell exploitation campaigns during the same timeframe. the attack progression is expected to follow this pattern : - remote code execution : attackers exploit react2shell to gain initial rce on the target sy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
80%
“web traffic hijacking : when your nginx configuration turns malicious datadog security research has identified an active web traffic hijacking campaign that targets nginx installations and management panels like baota ( bt ). in this post, we provide our analysis of the technique…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1041Exfiltration Over C2 Channel
74%
“, it now includes a fallback, using pkill to force a restart. stage 5 - mapping the injection the ok. sh script is responsible for generating a report detailing all active nginx traffic highjacking rules. this collected data is then exfiltrated to the attacker ' s command and con…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071Application Layer Protocol
72%
“, it now includes a fallback, using pkill to force a restart. stage 5 - mapping the injection the ok. sh script is responsible for generating a report detailing all active nginx traffic highjacking rules. this collected data is then exfiltrated to the attacker ' s command and con…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations.