A vulnerability in Adobe’s ColdFusion allowed hackers to breach two public-facing servers at a federal agency. The Cybersecurity and Infrastructure Security Agency (CISA) published a report explaining the way it happened.
ColdFusion Vulnerability Exploited to Infiltrate Federal Agency Servers
Recently, CISA has reported that Adobe’s ColdFusion – an application development tool, continues to pose a serious threat to organizations. Even though Adobe patched the CVE-2023-26360 vulnerability in March, CISA disclosed that two public-facing web servers at an undisclosed federal government agency were breached this summer.
The attackers exploited the CVE-2023-26360 vulnerability in the ColdFusion software, which enabled them to penetrate the systems. They deploy malware, including a remote access trojan (RAT), and access data through a web shell interface. The problem is that the affected servers ran outdated and vulnerable ColdFusion versions. Although Adobe released patches in March, only some users installed them. As a result, the lack of updates left an opening for intruders to gain initial access.
Fixed But Still Works
The CVE-2023-26360 flaw in ColdFusion allows arbitrary code execution without user action. Adobe released the patch that fixes the issue back in March 2023. However, as some users do not see the need to install this hotfix, threat actors have persistently exploited the vulnerability in unpatched systems. The flaw affects ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update five and earlier, including unsupported versions.
As for current incidents, they both occurred in June. In the first breach, hackers accessed the web server through a vulnerable IP address, exploiting the ColdFusion flaw. They attempted lateral movement, viewed information about user accounts, and executed reconnaissance. In addition, they dropped malicious artifacts, including a RAT that utilizes a JavaScript loader. Nevertheless, the attack was thwarted before successful data exfiltration.
In the second incident, the attackers checked the web server’s operating system and ColdFusion version, inserting malicious code to extract usernames, passwords, and data source URLs. Evidence suggests the activity amounted to network reconnaissance mapping rather than confirmed data theft. The malicious code hints at threat actors’ potential activities, leveraging the compromised credentials.
Nice try, but please try again later
According to experts, although the attackers managed to penetrate the target network, they could not do much damage. Actions encompassed reconnaissance, user account reviews, malware distribution, data exfiltration attempts, and code planting to extract credentials. Eight artifacts were left behind alongside a modified publicly available web shell for remote access.
While later quarantined, assets exposed included password information that could enable deeper network pivoting. However, no data thefts or system transitions were confirmed. It’s unclear whether one or multiple actors were responsible for the linked events. However, one thing is sure: despite vendors fixing vulnerabilities quickly, user’s negligence abuses malicious code without target interaction by even low-skilled actors.
Older Vulnerabilities Cause More and More Concerns
Aside from some extreme cases, software developers rarely ignore patching serious vulnerabilities. Large companies though are ones who definitely pay less attention than they should. And as we can see from this story, this is applicable even to government organizations. And this is what creates concerns.
As time goes on, hackers find more and more ways to exploit the same vulnerabilities. While some of them are getting patched by all parties or rendered ineffective, others remain actual and, what is worse, exploitable. After the initial discovery of a certain vulnerability, it is obvious to expect a boom in its exploitation. This comes especially true for programs that are generally used by large corporations – a category most of govt orgs fall into.
Leaving such vulnerabilities unpatched is effectively an invitation for a hacker to pay your network a visit. In a modern turbulent and uneven time, such decisions borderline recklessness, if not outright sabotage.