The Central Bank recorded a surge in the use of vulnerabilities in CMS Bitrix in the fall

The Central Bank noted a surge in the use of a vulnerability in the CMS Bitrix website management system, popular among medium and small banks, as well as their contractors. According to experts, the growth may be due to the fact that credit institutions delayed installing updates that were released, among other things, a year ago. For banks, the presence of such vulnerabilities means risks of penetration into the internal system, including unauthorized operations and data leaks.

The Central Bank requested information from banks about the version of CMS Bitrix used by credit institutions themselves or their contractors, as follows from the regulator’s letter dated November 15 (Kommersant has reviewed it). Judging by the fact sheet attached to the letter, from October to November the regulator noted a sharp surge in information security incidents related to the exploitation of the CVE-2022–27228 vulnerability. The regulator also requested information from banks about measures “aimed at preventing the possibility of exploitation of the declared vulnerabilities” and recommended adding scripts and disabling unused modules.

According to RTM Group manager Evgeniy Tsarev, the system is used by about 20% of banks. According to Alexander Moiseev, leading information security consultant at Aktiv.Consulting, problems could potentially arise for medium-sized and small credit institutions. He clarified that CMS Bitrix is ​​also popular among medium and small businesses that can act as contractors for banks.

At the beginning of the month (see Kommersant Online, November 9), BZhF Bank, RRDB and Fora Bank announced that their websites were attacked by hackers. A little earlier (see Kommersant Online, October 30), hackers hacked the website of the National Payment Card System (NSCP). According to experts, these attacks may be related to the exploitation of the CVE-2022–27228 vulnerability in Bitrix. BZhF-Bank, RRDB, Fora-Bank and NSPC did not promptly respond to Kommersant’s request.

The Central Bank clarified that the mentioned incidents were related to vulnerabilities in the service used by service providers for creating and managing bank websites. They emphasized that “banks, receiving information about risks from the regulator, must take it into account in their business processes and promptly convey it to their suppliers.”

Credit institutions in general “quickly enough, as new versions are tested and a number of regulated procedures are completed, they install new versions that close the vulnerability, or configure the necessary parameters to make it impossible to use it,” says Alexey Voylukov, vice-president of the Association of Russian Banks.

Meanwhile, NKTsKI (ensures coordination of the activities of CII subjects on issues of attacks and response to incidents) and FinCERT reported the identified vulnerability back in March 2022, as follows from the Central Bank’s newsletter. According to Mr. Voylukov, a few months later the NCCC recommended that CII facilities update CMS Bitrix to the latest versions. The declared vulnerability was closed by the developer by August 2022, he explains.

Information security specialists believe that current incidents may be related precisely to the delay in installing updates. After the release of an official update, there can be two approaches – the update occurs automatically, conditionally immediately after its release, or manually, explains Mr. Tsarev. According to him, automatic updates are not always provided, including for security reasons, since in the event of possible errors made by the developers, a prompt update can stop the operation of the site.

Meanwhile, according to experts, the use of this vulnerability by hackers can lead to serious consequences. If a bank’s vulnerable external web resources are hosted on its own servers, there is a possibility of penetration into the main information systems, remote banking services, and the bank-client interface, explains Mr. Moiseev. Disruption of their work threatens unauthorized financial transactions, leakage of customer data, problems with the provision of services, reputational losses and fines from regulators. However, during the attacks in October-November, the Central Bank assures, the banks’ infrastructure and key processes were not damaged.

Yulia Poslavskaya