Cyber threat actors are leveraging a CMS editor discontinued 14 years ago to compromise global education and government entities. This exploitation aims at SEO poisoning, manipulating search results with malicious sites or scams. The attackers exploit open redirects, enabling them to conduct phishing attacks, distribute malware, or scam users while appearing to originate from legitimate domains. What adds to the complexity is that these open redirect URLs, hosted on trusted domains, might bypass URL filters used by security products, providing a covert avenue for malicious activities.
The campaign, discovered by cybersecurity researcher @g0njxa, specifically targets educational institutions like MIT, Columbia University, and government sites such as Virginia’s and Spain’s government websites. Notably, the attackers exploit an outdated plugin, FCKeditor, which was deprecated in 2010. Despite being obsolete, many organizations, including prominent universities and government entities, continue to use it, exposing themselves to significant cybersecurity risks. The attackers utilize static HTML pages and redirects to poison search engine results, affecting the online reputation of targeted organizations and potentially leading to further malicious activities.
This incident underscores the importance of regularly updating and securing web technologies to prevent exploitation of vulnerabilities. Furthermore, it highlights the need for organizations to retire deprecated software promptly. Cybersecurity vigilance is crucial to detecting and mitigating such threats, safeguarding the digital infrastructure of educational and government institutions.
