Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

December 6, 2023 at 06:00AM

CISA warns of a high-severity Adobe ColdFusion vulnerability (CVE-2023-26360) being actively exploited, affecting outdated versions of the software. Attackers used it for unauthorized access and code execution on government servers, installing malware, and conducting reconnaissance. Updated ColdFusion versions have fixed the flaw.

Meeting Takeaways:

1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the active exploitation of a critical vulnerability in Adobe ColdFusion (CVE-2023-26360), used to gain unauthorized access to government servers.

2. The vulnerability, caused by improper access control, could lead to arbitrary code execution and affected ColdFusion 2018 (Update 15 or earlier) and ColdFusion 2021 (Update 5 or earlier).

3. Adobe released patches for the vulnerability on March 14, 2023: Update 16 for ColdFusion 2018 and Update 6 for ColdFusion 2021.

4. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog due to evidence of active exploitation, also confirmed by Adobe.

5. At least two public-facing servers running outdated ColdFusion versions were compromised, and the attackers executed various commands, including dropping malware.

6. The attacks are believed to be reconnaissance efforts, focusing on mapping networks without observed lateral movement or data exfiltration.

7. In one incident, attackers uploaded files capable of exporting web browser cookies and decrypting passwords for ColdFusion data sources.

8. Another observed attack involved a modified ByPassGodzilla web shell with a JavaScript loader requiring communication with the actor-controlled server.

9. The adversaries attempted to exfiltrate Windows Registry files and viewed the contents of the seed.properties file, essential for encrypting and potentially decrypting passwords. However, no attempt was made to decrypt passwords during the incidents.

Keep in mind that staying updated with the latest patches and monitoring for suspicious activity are critical for organizational cybersecurity.

Follow on Twitter and LinkedIn for more updates.

(Note: The above takeaways are crafted for internal understanding and should be distributed with caution, considering the sensitive and technical nature of the details.)

Full Article