Beginning in early September 2022, an unknown threat actor successfully compromised tens of thousands of websites mainly aimed at East Asian audiences, redirecting hundreds of thousands of their users to adult-themed content. In several cases, the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously. Wiz was not able to determine how this threat actor gained initial access to the affected web servers or where they were sourcing their stolen credentials from.
If you maintain your website via FTP, use FTPS or SFTP with a strong username and password combination. If you identify any IOCs related to this activity in your environment, you should rotate your credentials, reinstall software from a trusted source, and restore compromised assets to previous clean versions.
