Cybersecurity firm Varonis has uncovered alarming threats in the realm of IT administration, specifically revealing that attackers are employing SEO poisoning tactics to deceive administrators into downloading malware. Additionally, a critical root access vulnerability has been identified in Azure’s AZNFS-mount utility, which poses risks for high-performance computing (HPC) and artificial intelligence (AI) workloads. It is imperative for users to update Azure systems without delay.
Recent findings from Varonis’ cybersecurity researchers indicate two pressing threats that have emerged in just the past two months. In a blog post dated May 2, 2025, the company detailed the rise of an SEO poisoning scheme. Cybercriminals are manipulating search rankings to position malicious sites at the top of results, tricking IT administrators into downloading what they believe to be legitimate software.
On May 6, Varonis Threat Labs reported a critical vulnerability in the Azure AZNFS-mount utility. This flaw allows users without administrative privileges to gain root access to cloud systems, potentially compromising sensitive information across a variety of platforms.
The SEO poisoning strategy involves cybercriminals enhancing the visibility of malicious sites in search results for common administration tools. Administrators, operating under the assumption that they are downloading authentic software, may instead execute malware capable of installing backdoors such as SMOKEDHAM, which grants attackers persistent access to their systems.
Members of the Varonis MDR Forensics team, Tom Barnea and Simon Biggs, highlighted cases where this technique resulted in the deployment of stealthy monitoring software, such as a renamed version of Kickidler (designated as grabber.exe). This allows attackers to surreptitiously monitor infected systems and siphon off credentials.
This initial point of access can often lead to severe consequences, including data exfiltration. For instance, in one documented incident, attackers managed to transfer nearly a terabyte of data from a compromised network, subsequently encrypting essential systems for ransom, specifically targeting the customers’ ESXi devices.
In a separate yet equally critical revelation, researcher Tal Peleg from Varonis Threat Labs identified a significant flaw within the AZNFS-mount utility, which is preinstalled in Azure’s HPC and AI images. The vulnerability, affecting all versions up to 2.0.10, permits standard users to escalate privileges to root level on Linux machines. This flaw resides in the mount.aznfs binary, where incorrect permissions allow unauthorized command execution with elevated system privileges.
Combining these findings illustrates that cybercriminals are enhancing their tactics to exploit critical IT infrastructure. The SEO poisoning campaign underscores the need for improved vigilance among IT professionals when downloading software from search results, regardless of their apparent legitimacy. The vulnerability in Azure’s utility accentuates the necessity for timely updates and meticulous configuration of cloud resources.
To counteract these evolving threats, Varonis recommends that organizations adopt a “Defense in Depth” approach, which includes thorough employee training, endpoint security measures, network segmentation, and robust access controls. Azure customers utilizing HPC images or NFS for Azure Storage are strongly advised to promptly update their AZNFS-mount utility.
