Varonis has revealed a growing threat where attackers use SEO poisoning to deceive IT administrators into downloading malware. Additionally, a severe root access vulnerability has been identified in Azure’s AZNFS-mount utility, which affects HPC/AI workloads. Azure users are urged to update immediately.
Cybersecurity researchers at Varonis issued warnings about two significant threats targeting IT administrators and cloud infrastructures. In a blog post on May 2, 2025, Varonis reported an increasing trend over the last two months where attackers have exploited SEO poisoning to trick admins into downloading malware disguised as legitimate tools.
Furthermore, on May 6, the company’s Threat Labs uncovered a severe vulnerability in a pre-installed Azure utility that could allow non-privileged users to gain root access to cloud systems.
SEO Poisoning Campaign
SEO poisoning campaigns involve cybercriminals manipulating search engine rankings to place malicious websites at the top of common IT tool search results. Unsuspecting administrators, believing they are downloading legitimate software, end up installing malware, which can open the door to backdoors like SMOKEDHAM, allowing attackers continuous access.
Tom Barnea and Simon Biggs from Varonis’ MDR Forensics team highlighted several cases where such tactics led to the deployment of surveillance software, like a renamed version of Kickidler (grabber.exe). This allowed attackers to secretly monitor infected systems and steal credentials.
In one notable case, attackers exfiltrated nearly a terabyte of data before encrypting critical systems, such as ESXi devices, to demand a ransom.
Azure Vulnerability
Another critical discovery came from Tal Peleg of Varonis Threat Labs, who uncovered a severe flaw in the AZNFS-mount utility, pre-installed in Azure’s high-performance computing (HPC) and artificial intelligence (AI) images. The vulnerability affects all versions 2.0.10 and below and may enable regular users to escalate their privileges to root on Linux machines.
The flaw exists in the mount.aznfs binary, and due to improper permissions, attackers can exploit it to execute arbitrary commands with the highest system privileges. By manipulating specific environment variables, attackers can gain complete control over the affected Azure systems.
Varonis responsibly disclosed the vulnerability to Microsoft Azure, which classified it as low risk. However, gaining root access to cloud infrastructure could have significant consequences, as it may allow attackers to mount additional storage, install malware, and move laterally within the cloud environment. Microsoft has issued a patch for this vulnerability in the AZNFS-mount utility version 2.0.11.
Recommendations
Despite the patch, these findings underscore the evolving tactics of cybercriminals as they continuously refine their methods to target critical IT infrastructures. The SEO poisoning campaign highlights the need for IT professionals to remain vigilant when downloading tools, even those from top-ranked search results. Meanwhile, the Azure vulnerability stresses the importance of timely patching and proper configuration of cloud resources.
Varonis advises organizations to adopt a defense-in-depth strategy, which includes employee training, endpoint security, network segmentation, and strict access controls to mitigate these growing threats. Azure customers using HPC images or NFS for Azure storage are strongly encouraged to update their AZNFS-mount utility.
Related Topics
- What Is a Meta Description in SEO and Why Does It Matter?
- Top 6 SEO Merchandise Stores for Digital Marketers
- Why Are Backlinks a Good Way to Check Website Reliability?
