December 5, 2023 at 12:47PM
CISA reported two server breaches at a federal agency due to an unpatched Adobe ColdFusion flaw (CVE-2023-26360). The attackers exploited the vulnerability for reconnaissance and malware deployment, but their further malicious activities were hindered. The incidents occurred months after agencies were ordered to patch the flaw, and the attackers’ identities remain undisclosed.
Meeting Takeaways:
1. Incident Overview:
– A federal agency experienced breaches on at least two servers due to attackers exploiting a critical vulnerability in Adobe ColdFusion.
– The vulnerability is identified as CVE-2023-26360.
2. Timeline:
– CVE-2023-26360 was disclosed in March.
– CISA added CVE-2023-26360 to the KEV catalog and set an April 5 deadline for fixing the issue.
– The federal agency was attacked in June and July, indicating non-compliance with the CISA deadline for over three months.
3. Advisory Details:
– CISA’s recent advisory did not confirm if the vulnerability had been patched post-incident, the identity of the attackers, or the consequences of the missed patching deadline.
– Analysis showed the servers had outdated Adobe ColdFusion versions and were susceptible to multiple CVEs.
– There is no confirmation of data exfiltration, but reconnaissance activities are suspected.
4. Attack Descriptions:
– Incident One (June 2): Initial access was gained through CVE-2023-26360, leading to data reconnaissance and deployment of a remote access trojan (RAT). Several attack attempts, including credential theft and policy changes, were unsuccessful.
– Incident Two (June 26): Attackers entered via a malicious IP from a legitimate cloud service, exploited the same CVE, removed logs to avoid detection, and attempted credential theft and file upload. They were unable to decrypt passwords due to version incompatibility.
5. Outcomes:
– In the first incident, although certain attack phases failed, CISA considers it highly likely that attackers accessed the encryption method and seed value used for passwords.
– In the second incident, despite the attackers’ efforts, password decryption was not achieved due to the usage of a newer version of ColdFusion that did not have the hardcoded seed value.
6. Current Status:
– CISA has not confirmed whether data was stolen or if the two incidents are linked.
– No evidence was found on the server to suggest successful password decryption using the obtained seed values.
7. Security Recommendations (implied):
– Agencies must adhere to CISA’s deadlines for patching known vulnerabilities to prevent exploitation.
– Regular updates to software and security solutions are crucial to defend against known CVEs.
– Continuous monitoring and logging are essential to detect and respond to unauthorized activities promptly.
It is critical to address the outlined vulnerabilities and recommendations promptly to improve cybersecurity posture against future threats.