CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability.
The vulnerability, tracked as CVE-2023-26360, was disclosed in March and was shortly after added to CISA's known exploited vulnerability catalog, setting an April 5 deadline for agencies to fix the issue.
In a Tuesday advisory, CISA revealed the federal civilian executive branch in question was successfully attacked in June and into July, meaning the vulnerability went unpatched for more than three months after CISA's deadline.
CISA did not respond to questions about whether the agency has now patched the vulnerability, who was behind the attack, or its stance on the missed deadline.
Analysis of logs revealed the two servers identified as compromised were attacked in what appears to be two separate attacks.
In both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs, CISA said.
The cybersecurity agency is unable to confirm whether data was stolen by the intruders in either incident.
It's believed both campaigns were designed as reconnaissance efforts to understand the broader network, although CISA also declined to say if the two attacks were linked to the same operators.
The first incident began on June 2 when attackers gained an initial foothold on the server by exploiting CVE-2023-26360.
Attackers then dropped a remote access trojan, a modified version of the ByPassGodzilla web shell code, before establishing persistence.
Other phases of the attack failed, including attempts to gather user account credentials via an LSASS dump, download data from the attacker's C2 infrastructure, and attempts to change policies across the compromised servers.
CISA said it's highly likely that the attackers accessed the ColdFusion seed value and encryption method used to encrypt passwords - a method that can also be used to decrypt them.
That said, no malicious code was found on the victim server to indicate any decryption was attempted using those seed values.
The second incident began on June 26 and saw miscreants connect via a malicious IP address that resolves to a legitimate public cloud service.
They checked running processes to learn about the web server and its operating system, and scanned for ColdFusion version 2018 and version 2016 - an older EOL version that's also vulnerable to the flaw.
Attackers were observed traversing the filesystem and deleting logs to evade detection.
They then made HTTP POST requests to a ColdFusion configuration file and analysis showed evidence of malicious code that is designed to execute on ColdFusion versions 9 and below.
CISA went on to report that the malicious code was unable to decrypt any passwords because it was designed for ColdFusion versions 8 and older, where the seed value was hardcoded.
The FCEB agency in question was running a newer version, so password decryption wasn't achieved in this way.
Other stages of the attack, like the attacker's attempts to hide their web shell, also failed to execute as intended.
This Cyber News was published on go.theregister.com. Publication date: Tue, 05 Dec 2023 18:28:05 +0000