January 23, 2024 at 02:16PM
Threat actors operating Parrot TDS have intensified their efforts to avoid detection and potentially target millions of people through compromised websites. Researchers from Unit 42 have been tracking this traffic redirect system, which injects malicious scripts into existing JavaScript code. The researchers have also provided mitigation strategies and indicators of compromise for web administrators to detect and protect against Parrot TDS.
After reviewing the meeting notes, the key takeaways are as follows:
1. Threat actors behind the Parrot Traffic Redirect System (TDS) have intensified their efforts to avoid detection and can potentially impact millions of people through malicious scripts hidden in thousands of compromised websites.
2. Parrot TDS injects malicious scripts into existing JavaScript code on servers, targeting victims globally without any restrictions based on nationality, geography, or industry.
3. The attackers have enhanced their evasion techniques by using multiple lines of injected JavaScript code and exploiting known vulnerabilities in systems such as WordPress, Joomla, or other content management systems.
4. There are nine versions of Parrot TDS payload scripts, with V2 being the most common, representing more than 70% of the identified samples.
5. The researchers have provided a list of indicators of compromise (IoCs) in their blog post to alert website administrators if their sites have been compromised by Parrot TDS. These IoCs include SHA256 hashes for JavaScript files with injected landing script code and specific keywords associated with the campaign.
6. Mitigation and protection measures include conducting an audit to discover any extra .php files on a web server, implementing next-generation firewall technology, and using advanced URL filtering to block malicious traffic and identified IoCs.
Let me know if you need further clarification or additional information.