Surge in ICS Attacks Linked to Bitrix CMS Vulnerability

March 7, 2023

Kaspersky has seen a surge in attacks on industrial control system (ICS) computers in Russia and neighboring countries, and the company has linked it to increased exploitation of a vulnerability affecting a content management system (CMS). The exploited vulnerability, tracked as CVE-2022-27228, affects the ‘Polls, Votes’ module of the Bitrix Site Manager application. According to Kaspersky, this surge is driven by a significant increase in the percentage of ICS devices on which its products blocked malicious scripts and phishing pages. “The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS,” Kaspersky explained. “It should be noted that ICS computers from which arbitrary websites can be accessed are mostly ICS operator or engineering workstations.”

The increase in attacks was largely due to a surge in the activity of potentially dangerous advertising platforms that are often used to spread malware disguised as advertising displayed on various web resources,” said Kaspersky. “It appears that CVE-2022-27228 exploitation is opportunistic and Russia is significantly impacted because the Bitrix product is widely used in the country, rather than someone specifically exploiting the vulnerability to target Russia.” Bitrix24 announced patches for the vulnerability in March 2022. A researcher from Russian cybersecurity firm Positive Technologies was credited at the time for finding the flaw.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.