A sophisticated campaign known as 360XSS has exploited a vulnerability in the Krpano software, manipulating search results and disseminating spam ads across over 350 websites, including government, educational institutions, and major news outlets.
Cybersecurity researcher Oleg Zaytsev has uncovered a far-reaching attack that targets a flaw within the Krpano virtual tour framework. The campaign, termed “360XSS,” is characterized by its tactics of manipulating search engines and distributing a high volume of advertisements.
Krpano is a widely recognized tool that facilitates the creation of virtual 360° experiences, allowing users to navigate through panoramic images and videos. This vulnerability involves a reflected cross-site scripting (XSS) flaw cataloged as CVE-2020-24901, found in a default configuration of Krpano that permits direct injection of query parameters into the framework. This oversight rendered multiple sites susceptible, with patches only being rolled out later.
The discovery of this campaign was initiated by a peculiar search result for adult content linked to a reputable university’s domain. Investigations revealed the site was utilizing the Krpano framework, with attackers targeting a specific URL parameter to inject harmful code that redirected users to spam advertisements. This illustrates a more advanced form of attack, extending beyond mere website defacement.
The magnitude of this campaign is alarming; it compromised hundreds of sites across various sectors, including government portals, academic institutions, and media organizations. By exploiting the XSS vulnerability, attackers injected scripts that altered search engine results, enhancing the visibility of spam advertisements through a technique known as SEO poisoning. This tactic not only amplified their reach but also leveraged the perceived authority of the compromised domains.
Notably, the 360XSS campaign has impacted a diverse range of entities, from sensitive governmental websites to prominent news outlets and Fortune 500 companies. Zaytsev, who shared insights on the investigation, speculated that an Arab group might be behind the campaign based on the content of the ads and patterns observed during his research.
Efforts to report the vulnerability to affected organizations faced hurdles, as many lacked clear disclosure protocols. However, some positive responses were recorded, prompting the Krpano developers to issue subsequent patches. Organizations utilizing Krpano are strongly encouraged to update their systems and disable the vulnerable configuration setting to safeguard against future exploits.
The attack illustrates a shift in tactics among cyber adversaries, moving from traditional malware delivery methods to exploiting existing web frameworks and browser vulnerabilities. According to Eran Elshech, Field CTO at Seraphic Security, the 360XSS campaign exemplifies the ease with which attackers can utilize known XSS vulnerabilities to compromise trusted sites and manipulate digital advertising spaces. This approach underscores the importance of vigilance in monitoring high-traffic websites and the potential risks associated with external integrations.
As the landscape of cyber threats evolves, the scalability and stealth of such attacks present formidable challenges for organizations. Cybersecurity protocols must evolve to effectively address these dynamics, ensuring robust defenses against increasingly sophisticated methods of infiltration and compromise.
