Unknown attackers have leveraged a critical vulnerability in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency has shared.
CVE-2023-26360 is a deserialization of untrusted data vulnerability that could lead to arbitrary code execution.
CVE-2023-26360 affected Adobe ColdFusion versions 2021, 2018, 2016 and 11, but Adobe provided patches only for the former two, as ColdFusion 2016 and 11 had previously reached the end of their lifecycle.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog the day after, and set the deadline for implementing the fix on April 5.
22-01, all FCEB agencies must remediate vulnerabilities in the KEV catalog within prescribed timeframes.
CISA has revealed that CVE-2023-26360 has been exploited by unknown attackers to target a Federal Civilian Executive Branch agency between June and July 2023.
In two separate attacks, the attackers managed to compromise at least two public-facing servers that were running outdated software versions - one was running Adobe ColdFusion v2021.
In the first attack, in early June, the attackers performed many reconnaissance actions: they enumerated domain trusts, collected information about local and domain administrative user accounts and the network configuration.
They also dropped a remote access trojan, and tried to exfiltrate Registry files and security account manager information.
On June 26, 2023, attackers accessed another public-facing web server running Adobe ColdFusion, and again engaged in reconnaissance: they enumerated running processes, checked network connectivity, collected information about the web server and the OS, and checked for the presence of ColdFusion versions 2018 and 2016.
They uploaded various files to the web server and tried to execute code aimed at extracting username, password, and data source URLs.
Both incidents have been identified and blocked and there is no evidence of data exfiltration or lateral movement.
CISA says they don't know if the same or different threat actors were behind each incident.
The security advisory provides indicators of compromise, tactics, techniques, and procedures, and detection and protection methods for enterprise defenders, as well as mitigation advice.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Wed, 06 Dec 2023 15:28:05 +0000