A security flaw in Adobe's ColdFusion application development tool that was patched in March continues to be a headache for organizations running unpatched versions of the product.
This week, the U.S. Cybersecurity and Infrastructure Security Agency said two public-facing web servers at an unnamed federal government agency were breached by one or two separate groups this summer, with the hackers moving through filesystems, planting malware - including a remote access trojan - and viewed data through a web shell interface.
The attackers in both incidents exploited a vulnerability - tracked as CVE-2023-26360 - in the ColdFusion software, according to a CISA advisory released this week.
The agency said the bad actors were able to get an initial foothold in the web servers through the flaw, though Microsoft's Defender for Endpoint alerted the targeted agency to the intrusion into the systems, which were in its pre-production environment.
CVE-2023-26360 allows for arbitrary code execution that doesn't require any action by the targeted victims.
It also impacts even earlier versions of the software that Adobe doesn't support anymore.
Despite the patch, threat actors have continued to exploit the bug in unpatched systems.
Security researchers from Fortinet's FortiGuard Labs wrote in an advisory in August that they continue to see targeted attacks aimed at exploiting the flaw, adding that IPS devices had blocked hundreds of such attacks in late summer.
Rapid7 researchers wrote that an access control bypass vulnerability - CVE-2023-29298 - in ColdFusion could be chained with CVE-2023-26360 in attacks.
Both incidents against the unnamed federal agency happened in June.
In the earlier one that started as early as June 2, the hackers gained access into the web server through a malicious IP address by exploiting the ColdFusion flaw.
The bad actors also tried to exfiltrate various files but were stopped after the attack was detected and quarantined.
One malicious file - a local security authority subsystem server dump file that contained user accounts and Windows new technology LAN manager passwords - also was detected and quarantined.
Other attempts to try the registry dump and download data from the threat actors' command-and-control server were blocked, as were efforts to access SYSVOL, used to deliver policy and logon scripts to domain members on an agency domain controller.
The hackers likely viewed data in the ColdFusion seed.
Properties file, which contains unique seed values that can only be used on a single server.
In the second incident, the hackers tried to get information about the web server and its operating system, ran a connectivity check, and checked to see if ColdFusion version 2018 was present.
Previous checks were also conducted against version 2016.
As with the first attack, the threat actors were in the filesystem and uploaded malicious code to the web server.
They inserted malicious code to execute versions of ColdFusion 9 or less to extract usernames, passwords, and data source URLs.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 06 Dec 2023 20:43:05 +0000