Stolen FTP Credentials Used in Website Hijacking Scheme
Cloud cybersecurity experts from Wiz have detected a website hijacking campaign that uses stolen FTP (file transfer protocol) credentials to redirect users to websites of the attackers’ choosing. The campaign appears to have been operational since September 2022 and has compromised more than 10,000 websites. It is not clear how the legitimate FTP credentials were obtained.
Stolen credentials only work when those credentials are reusable. Good reminder to make sure your movement to 2FA extends to all remote access capabilities, not just the VPN.
If you still have FTP enabled on your web sites you really need to disable it and move to an alternative, say SFTP. Odds are the current versions of your website development tools already support secure alternatives. This may require you to update your development environments. Next, make sure your website wasn’t compromised; remediate if needed.
Fifteen years after we first began to disparage the use of FTP, it continues to be a problem.