Kaspersky has seen a surge in attacks on industrial control system (ICS) computers in Russia and neighboring countries, and the company has linked it to increased exploitation of a vulnerability affecting a content management system (CMS). The exploited vulnerability, tracked as CVE-2022-27228, affects the ‘Polls, Votes’ module of the Bitrix Site Manager application. According to Kaspersky, this surge is driven by a significant increase in the percentage of ICS devices on which its products blocked malicious scripts and phishing pages. “The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS,” Kaspersky explained. “It should be noted that ICS computers from which arbitrary websites can be accessed are mostly ICS operator or engineering workstations.”
The increase in attacks was largely due to a surge in the activity of potentially dangerous advertising platforms that are often used to spread malware disguised as advertising displayed on various web resources,” said Kaspersky. “It appears that CVE-2022-27228 exploitation is opportunistic and Russia is significantly impacted because the Bitrix product is widely used in the country, rather than someone specifically exploiting the vulnerability to target Russia.” Bitrix24 announced patches for the vulnerability in March 2022. A researcher from Russian cybersecurity firm Positive Technologies was credited at the time for finding the flaw.