Hackers breach US govt agencies using Adobe ColdFusion exploit

Hackers breach US govt agencies using Adobe ColdFusion exploit

December 5, 2023 at 12:07PM

CISA warns of ongoing attacks exploiting a critical Adobe ColdFusion vulnerability (CVE-2023-26360), despite a fix. Hackers targeted government servers, installing malware and conducting reconnaissance. Although attacks were contained, CISA stresses updating ColdFusion and enhancing security measures.

Meeting Takeaways:

1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding ongoing exploitation by hackers of the critical Adobe ColdFusion vulnerability, identified as CVE-2023-26360.
2. The affected versions are Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. Adobe addressed the issue with new updates released in mid-March.
3. Despite the fix, incidents in June have shown that CVE-2023-26360 remains a threat, with two federal agency systems being compromised.
4. In both June incidents, attackers targeted vulnerable, outdated versions of Adobe ColdFusion on public-facing web servers, resulting in malware being dropped onto the servers.
5. The first incident (June 26) involved Adobe ColdFusion v2016.0.0.3, with the attackers installing a web shell and performing various malicious activities, including credential extraction.
6. The second incident (June 2) witnessed the exploitation of Adobe ColdFusion v2021.0.0.2 where attackers gathered user account info and deployed a remote access trojan.
7. In both cases, the attacks were detected by Microsoft Defender for Endpoint before data exfiltration or lateral movement occurred, and the compromised assets were swiftly isolated.
8. CISA considers these intrusions to be reconnaissance efforts, but it is uncertain if a single threat actor is responsible for both incidents.
9. As mitigation against such cyber threats, CISA advises updating ColdFusion to the latest version, implementing network segmentation, establishing firewall or WAF defenses, and enforcing policies on signed software execution.

Full Article