The United States Cybersecurity and Infrastructure Security Agency (CISA) he warneda about active exploitation of a high-level vulnerability in Adobe ColdFusion by unidentified cyber criminals to gain initial access to government servers.
What are the vulnerabilities in Adobe’s ColdFusion
“The vulnerability in ColdFusion (CVE-2023-26360) presents itself as an improper access control issue and exploitation of this CVE may lead to arbitrary code execution“, has declared CISA, adding that an unmentioned federal agency was targeted between June and July 2023.
The flaw affects ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier); it was (fortunately) later fixed in Update 16 and Update 6, released on March 14, 2023, respectively.
CISA subsequently added it to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in various sectors; Adobe, in an advisory released at the time, said it was aware of the issue being “exploited in the wild in very limited attacks.”
The agency noted that at least two public servers were compromised using the flaw, both of which were running outdated versions of the software.
“Furthermore, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed cybercriminals to deposit malware using HTTP POST commands in the directory path associated with ColdFusion“, CISA noted.
There is evidence to suggest that the malicious activity is a reconnaissance effort aimed at mapping the larger networkalthough no lateral movement or data exfiltration was observed.
In one of the incidents, the adversary was observed to traverse the filesystem and upload various artifacts to the web server, including binary codes capable of exporting browser cookies web and malware designed to crack passwords for ColdFusion data sources.
A second event recorded in early June 2023 resulted in the release of a remote access trojan which is a modified version of the web shell ByPassGodzilla And “uses a JavaScript loader to infect the device and requires communication with the server controlled by the author [o autori] to perform actions“.
The adversary (or someone on his behalf) also attempted to exfiltrate the Windows Registry files and unsuccessfully downloading data from a command and control server (C2).
“In this incident, the analysis strongly suggests that threatening actors likely have view the data contained in the ColdFusion seed.properties file via the web shell interface“, CISA said, adding “The seed.properties file contains the seed value and the encryption method used to encrypt passwords. Seed values can also be used to crack passwords. No malicious code was found on the victim’s system indicating that the attackers attempted to decrypt the passwords using the values found in the seed.properties file“.
Conclusion
It is therefore recommended to users not to use obsolete versions of ColdFusion (so we are talking about old versions no longer supported by Adobe), and to keep not only the program itself updated, but also the Adobe launcher and any related programs.
Unfortunately despite various warnings from IT experts many people still rely on piracy to save money, often running into collateral damage on their devices and tend not to update the operating system for fear of some subsequent problemignoring the real function of security patches.
#ColdFusion #Adobe #vulnerability #federal #agencies