The exploitation of a vulnerability in the Bitrix Content Management System (CMS) is driving an increased surge of cyber attacks on critical infrastructure and industrial control systems (ICS) in Russia. According to cyber-security firm Kaspersky, attackers have used the vulnerability to gain elevated privileges by uploading malicious files and executing arbitrary code on targeted websites.
Most Vulnerable Sites
Bitrix is an open-source, modular web-based content management and collaboration suite used by companies worldwide. It was released in 2000 and is currently used by more than 25,000 companies, including large banks and government organizations.
This vulnerability, which is tracked as CVE-2021-25371, was discovered in February 2021 and affects all versions of Bitrix CMS released prior to version 20.0.0. Most of the sites that have been hacked were running outdated versions of the software and were not updated regularly.
Exploitation Methods
Kaspersky researchers reported that attackers were exploiting the vulnerability by uploading malicious files to the affected websites and executing arbitrary code with elevated privileges.
The researchers also noted that the attackers had been using various methods to get access to the vulnerable websites, such as brute-force attacks, using known vulnerabilities, and using stolen credentials. In some cases, the attackers had also installed web shells on the websites that allowed them to gain access to the underlying operating system and execute malicious code.
Targeting ICS
Once the attackers had gained access to the vulnerable websites, they started to target industrial control systems (ICS) and critical infrastructure. The attackers were able to exploit the vulnerable websites and gain access to the underlying ICS hardware, allowing them to launch sophisticated cyber-attacks such as ransomware, data exfiltration, and sabotage.
Kaspersky noted that the attackers were targeting several industries, including energy, manufacturing, and retail. The attackers were able to gain access to the ICS hardware, allowing them to control, monitor, and disrupt the ICS systems.
Preventing Future Attacks
Kaspersky has advised all Bitrix users to immediately update their software to the latest version in order to protect their websites from further exploitation. Additionally, users should apply security patches as soon as they become available and enable two-factor authentication for added security.
Kaspersky researchers also warned that the attackers have likely targeted other vulnerable Bitrix websites, and are likely to continue to exploit this vulnerability to target ICS systems and critical infrastructure.
Conclusion
The exploitation of a vulnerability in Bitrix CMS has been used by attackers to gain access to critical infrastructure and industrial control systems in Russia. Attackers are exploiting the vulnerability to upload malicious files, execute arbitrary code, and gain access to the underlying ICS hardware. All Bitrix users should immediately update their software to the latest version and apply security patches as soon as they become available in order to prevent any further exploitation.
Help us spread awareness and protect our critical infrastructure by sharing this article on social media!