CSDN and many other websites have been hacked by hackers to spread Trojan viruses and phishing websites. It is suspected that CDN has been attacked.

According to news released by the network security company Qi'anxin Threat Intelligence Center, Qi'anxin recently observed that multiple websites, including CSDN, were hacked and used to spread Trojan viruses and phishing websites. The QiAnXin Threat Intelligence Center observed a sharp increase in related malicious domain names (hxxps://analyzev.oss-cn-beijing.aliyuncs.com) from the beginning of September, but no effective payloads were observed until the end of September, only some strange js scripts.

The domain name mentioned above is the default domain name of OSS object storage provided by Alibaba Cloud to customers, which means that hackers store all malicious files in Alibaba Cloud OSS for distribution, possibly to avoid domain name detection.

By the end of October, hackers finally took action and could observe malicious payload programs, including:

hxxps://analyzev.oss-cn-beijing.aliyuncs.com/update.exehxxps://analyzev.oss-cn-beijing.aliyuncs.com/ntp.exehxxps://analyzev.oss-cn-beijing.aliyuncs.com/flash_update.exehxxps://analyzev.oss-cn-beijing.aliyuncs.com/ntp_windows.exe

From the names of these files, we can see that hackers tried to disguise Trojan viruses as update programs, Flash, etc. Hackers even imitated the error page of the Google Chrome browser to draw a certificate update phishing website.

The website below seems to be reporting an error from Chrome, but it is actually a phishing website created by hackers. Chrome does not have such a prompt:

CSDN was observed to become a Trojan website:

Researchers from the Qi’anxin team also noticed that the Referers requesting the above-mentioned malicious programs were all normal blog content of the CSDN website. Based on the relevant logs, it was finally confirmed that CSDN had been hacked, and the researchers also successfully reproduced the situation.

This additionally introduced js script is hxxps://analyzev.oss-cn-beijing.aliyuncs.com/jquery-statistics.js. That is, if the website comes with this script, it may jump to the phishing website when accessing the foreground.

It is worth noting that it is not just CSDN that has been hacked, but many industry websites and even local government websites have also been hacked. Currently, Qi Anxin speculates that a CDN provider used by these websites has been attacked. That is, hackers directly load malicious scripts to the website through the CDN side, and then use the malicious scripts to deliver phishing websites and Trojan viruses.

However, Qi'anxin did not disclose this CDN provider. Qi'anxin's related security software can already intercept such Trojans to ensure the security of terminal equipment.