Exploitation of Bitrix CMS Vulnerability Drives ICS Attack Surge in
Kaspersky has seen a surge in attacks on industrial control system (ICS) computers in Russia and neighboring countries, and the company has linked it to increased exploitation of a vulnerability affecting a content management system (CMS).
The cybersecurity firm on Monday published its latest ICS threat landscape report, which focuses on the second half of 2022. The company said it had blocked threats on 40.6% of the global devices protected by its products in 2022, a slight increase compared to 2021 (39.6%) and 2020 (38.6%).
These devices include HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration of industrial networks, and devices used to develop software for industrial systems.
However, the most significant increase in H2 2022 was seen in Russia, where attacks increased by nine percentage points, with 39.2% of the ICS computers in the country being targeted.
Learn More About ICS Threats at SecurityWeek’s ICS Cyber Security Conference
According to Kaspersky, this surge is driven by a significant increase in the percentage of ICS devices on which its products blocked malicious scripts and phishing pages.
“The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS,” Kaspersky explained. “It should be noted that ICS computers from which arbitrary websites can be accessed are mostly ICS operator or engineering workstations.”
The exploited vulnerability, tracked as CVE-2022-27228, affects the ‘Polls, Votes’ module of the Bitrix Site Manager application. The security hole allows a remote, unauthenticated attacker to execute arbitrary code.
Bitrix24 announced patches for the vulnerability in March 2022. A researcher from Russian cybersecurity firm Positive Technologies was credited at the time for finding the flaw.
SecurityWeek has not found any previous reports mentioning malicious exploitation of CVE-2022-27228.
In addition to Russia, ICS computers in countries such as Belarus, Kyrgyzstan, Uzbekistan and Kazakhstan have been increasingly targeted with malicious scripts and phishing pages as a result of CVE-2022-27228 exploitation against websites powered by the Bitrix CMS.
This is not surprising considering that the impacted Bitrix product has the largest market share in Russia and neighboring countries.
“[The increase in attacks] was largely due to a surge in the activity of potentially dangerous advertising platforms that are often used to spread malware disguised as advertising displayed on various web resources,” Kaspersky said.
It appears that CVE-2022-27228 exploitation is opportunistic and Russia is significantly impacted because the Bitrix product is widely used in the country, rather than someone specifically exploiting the vulnerability to target Russia.
Related: Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices
Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022