The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm about a critical vulnerability in Adobe ColdFusion that hackers are actively exploiting to gain access to government servers. This security flaw, tagged as CVE-2023-26360, allows hackers to execute arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. The vulnerability was exploited as a zero-day before Adobe addressed it in mid-March by releasing updates. Despite the fix, the flaw continues to be exploited, with incidents as recent as June impacting two federal agency systems.
CISA has indicated that “In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment”. Both servers were running outdated software versions, making them vulnerable to various CVEs. The hackers leveraged the vulnerability to introduce malware using HTTP POST commands to the directory path associated with ColdFusion.
The first incident, recorded on June 26, saw the hackers exploit the vulnerability to breach a server running Adobe ColdFusion v2016.0.0.3. The hackers conducted process enumeration, network checks, and installed a web shell that allowed them to insert code into a ColdFusion configuration file and extract credentials. They then deleted files used in the attack to cover their tracks and created files in the C:IBM directory to carry out malicious activities undetected.
The second incident took place on June 2, with the hackers exploiting the same vulnerability on a server running Adobe ColdFusion v2021.0.0.2. Here, they gathered user account information before introducing a text file that decoded as a remote access trojan. They then attempted to exfiltrate Registry files and security account manager (SAM) information, and misused available security tools to access SYSVOL, a special directory present on every domain controller in a domain.
In both instances, the attacks were detected and blocked before any data could be exfiltrated or lateral movement could occur. The compromised assets were removed from critical networks within 24 hours. CISA has categorized these attacks as reconnaissance efforts, but it's unclear if the same threat actor is behind both intrusions. To mitigate the risk, CISA advises upgrading ColdFusion to the latest available version, implementing network segmentation, setting up a firewall or WAF, and enforcing signed software execution policies.