February 26, 2024 at 03:05PM
Threat actors are exploiting an outdated CMS editor to compromise education and government entities worldwide. Attackers abuse open redirects for phishing, distributing malware, or scamming users while appearing to originate from legitimate domains. The campaign targets educational institutions, government, and corporate sites, using the outdated FCKeditor plugin. The compromised instances utilize static HTML pages and redirects to malicious sites, which remain active in search results for a long time.
From the meeting notes, the following key takeaways can be identified:
1. Threat actors are exploiting a discontinued CMS editor, FCKeditor, to compromise education, government, and corporate entities worldwide. The exploitation involves poisoning search results with malicious sites or scams.
2. Open redirects are being abused to conduct phishing attacks, distribute malware, and scam users while appearing to originate from legitimate domains. Attackers leverage open redirect URLs hosted on trusted domains to bypass security filters and perform SEO poisoning campaigns.
3. Cybersecurity researcher @g0njxa discovered a malicious redirect campaign targeting organizations primarily in the education sector, such as MIT, Columbia University, and several others, as well as government and corporate sites using the outdated FCKeditor plugin.
4. The compromised FCKeditor instances utilize a combination of static HTML pages and redirects to malicious sites to poison search engine results.
5. The software maker has deprecated FCKeditor since 2010 and has stated that it should not be in use anymore. However, it is still observed that university and government sites continue to use discontinued software, making them vulnerable to exploitation.
These takeaways highlight the urgency of addressing the exploitation of discontinued software, such as FCKeditor, and the importance of mitigating open redirect vulnerabilities to protect against SEO poisoning and other malicious activities. It also emphasizes the need for increased awareness and proactive measures to prevent such campaigns and protect organizational assets from compromise.