HQ/EMEAFind out how we can help your business
CISA published an advisory regarding a new hacking campaign that exploits the Adobe ColdFusion vulnerability. The flaw is CVE-2023-26360, which became a primary target for threat actors to acquire initial access to government servers.
Based on reports, this security loophole could allow an attacker to execute arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and older, as well as 2021 Update 5 and earlier.
Adobe addressed the issue earlier this year with ColdFusion 2018 Updates 16 and 2021 Update 6 releases. However, these updates might not be sufficient since CISA reveals that the threat actors continue to exploit the flaw, as evidenced by incidents in June affecting two federal agency systems.
There are two incidents in which the hackers exploited the Adobe ColdFusion vulnerability.
In both incidents, Microsoft Defender for Endpoint (MDE) notified CISA of the potential exploit of an Adobe ColdFusion vulnerability on public-facing web servers in their pre-production environment. Both servers are allegedly running on outdated software versions prone to various CVEs.
The attackers leveraged CVE-2023-26360 to launch malware using HTTP POST commands to the directory path associated with ColdFusion. The first incident, recorded on June 26, targeted a server operating Adobe ColdFusion v2016.0.0.3. After exploiting the vulnerability, the attackers conducted process enumeration network checks and installed a web shell to insert code into a ColdFusion configuration file and extract credentials.
On June 2, the second incident showed that the hackers exploited the same vulnerability on a server running on Adobe ColdFusion v2021.0.0.2. In this instance, the hackers collected user account information before deploying a text file decoded as a remote access trojan (d.jsp). Subsequently, the attackers tried to exfiltrate Registry files and security account manager (SAM) information.
CISA categorises these incidents as reconnaissance campaigns, but it remains unclear if the same threat actor executed both breaches. Fortunately, the agency has detected and thwarted both cases before data exfiltration or lateral movement occurred.
The federal law enforcement agency advises the government sector to upgrade ColdFusion to the latest version, implement network segmentation, set up a firewall or Web Application Firewall (WAF), and enforce signed software execution policies to mitigate the risk posed by this persistent threat.
