Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Exploitation of Bitrix CMS Vulnerability Drives ICS Attack Surge in Russia

Kaspersky has seen a surge in attacks on ICS computers in Russia and blames it on the exploitation of a Bitrix CMS vulnerability tracked as CVE-2022-27228.

Kaspersky has seen a surge in attacks on industrial control system (ICS) computers in Russia and neighboring countries, and the company has linked it to increased exploitation of a vulnerability affecting a content management system (CMS).

The cybersecurity firm on Monday published its latest ICS threat landscape report, which focuses on the second half of 2022. The company said it had blocked threats on 40.6% of the global devices protected by its products in 2022, a slight increase compared to 2021 (39.6%) and 2020 (38.6%). 

These devices include HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration of industrial networks, and devices used to develop software for industrial systems.

However, the most significant increase in H2 2022 was seen in Russia, where attacks increased by nine percentage points, with 39.2% of the ICS computers in the country being targeted.

Learn More About ICS Threats at SecurityWeek’s ICS Cyber Security Conference

According to Kaspersky, this surge is driven by a significant increase in the percentage of ICS devices on which its products blocked malicious scripts and phishing pages.

“The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS,” Kaspersky explained. “It should be noted that ICS computers from which arbitrary websites can be accessed are mostly ICS operator or engineering workstations.”

The exploited vulnerability, tracked as CVE-2022-27228, affects the ‘Polls, Votes’ module of the Bitrix Site Manager application. The security hole allows a remote, unauthenticated attacker to execute arbitrary code.  

Bitrix24 announced patches for the vulnerability in March 2022. A researcher from Russian cybersecurity firm Positive Technologies was credited at the time for finding the flaw. 

Advertisement. Scroll to continue reading.

SecurityWeek has not found any previous reports mentioning malicious exploitation of CVE-2022-27228.

In addition to Russia, ICS computers in countries such as Belarus, Kyrgyzstan, Uzbekistan and Kazakhstan have been increasingly targeted with malicious scripts and phishing pages as a result of CVE-2022-27228 exploitation against websites powered by the Bitrix CMS.

This is not surprising considering that the impacted Bitrix product has the largest market share in Russia and neighboring countries. 

“[The increase in attacks] was largely due to a surge in the activity of potentially dangerous advertising platforms that are often used to spread malware disguised as advertising displayed on various web resources,” Kaspersky said.

It appears that CVE-2022-27228 exploitation is opportunistic and Russia is significantly impacted because the Bitrix product is widely used in the country, rather than someone specifically exploiting the vulnerability to target Russia. 

Related: Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.