Sites of Major Orgs Abused in Spam Campaign Exploiting Virtual Tour Software Flaw – Source: www.securityweek.com

The websites of dozens of major private and government organizations have been abused in a massive spam campaign that involves exploitation of a vulnerability affecting widely used virtual tour software.

The attacks were observed recently by researcher Oleg Zaytsev who noticed that a Google search revealed what appeared to be adult content on the website of a major university in the US. 

Additional analysis showed that the impacted website hosted a virtual tour powered by software made by Krpano. This software is affected by a reflected cross-site scripting (XSS) vulnerability that has been exploited to lead users to shady websites promoting adult content, diets, hacking services, and online casinos. 

Krpano is a widely used framework for panoramic images, enabling the creation of virtual tours and VR environments. 

The XSS vulnerability, found in a library that is present on websites using the Krpano software, has allowed a threat actor to redirect users from pages hosted on those sites to arbitrary domains. The attackers used SEO poisoning to lure users to the pages hosting the malicious redirects. 

Zaytsev identified — based on Google searches — more than 350 websites exploited by this threat actor, including sites belonging to government organizations, major universities, hotel chains, car dealerships, news outlets, and Fortune 500 companies. 

“Most of these sites were very popular and are having millions of visitors each month, and some had been hit multiple times, serving different types of ads,” the researcher said. 

In some cases, the attackers did not redirect users to third-party websites and instead managed to embed their shady ads directly on the impacted site to make them more credible. One example is a CNN page, in which the hackers managed to directly embed casino ads. 

An investigation by Zaytsev showed that the existence of the vulnerability has been known since 2020, when it was assigned CVE-2020-24901. Krpano developers implemented some restrictions at the time to prevent XSS attacks, but the patch was incomplete and the impact of the flaw was downplayed at the time. 

The researcher has notified Krpano developers about the exploitation of the vulnerability and they implemented measures to prevent abuse with the release of version 1.22.4 on February 24. 

SecurityWeek has reached out to Krpano for comment and will update this article if the company responds. 

Zaytsev attempted to directly notify many of the impacted organizations, but in many cases he did not manage to get through to anyone. In some cases, the affected organization did take steps to address the issue. 

Related: Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Related: Domains Once Owned by Major Firms Help Millions of Spam Emails Bypass Security