CISA reveals how fed agency succumbed to ColdFusion attacks The Register

CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability.
The vulnerability, tracked as CVE-2023-26360, was disclosed in March and was shortly after added to CISA's known exploited vulnerability catalog, setting an April 5 deadline for agencies to fix the issue.
In a Tuesday advisory, CISA revealed the federal civilian executive branch in question was successfully attacked in June and into July, meaning the vulnerability went unpatched for more than three months after CISA's deadline.
CISA did not respond to questions about whether the agency has now patched the vulnerability, who was behind the attack, or its stance on the missed deadline.
Analysis of logs revealed the two servers identified as compromised were attacked in what appears to be two separate attacks.
In both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs, CISA said.
The cybersecurity agency is unable to confirm whether data was stolen by the intruders in either incident.
It's believed both campaigns were designed as reconnaissance efforts to understand the broader network, although CISA also declined to say if the two attacks were linked to the same operators.
The first incident began on June 2 when attackers gained an initial foothold on the server by exploiting CVE-2023-26360.
Attackers then dropped a remote access trojan, a modified version of the ByPassGodzilla web shell code, before establishing persistence.
Other phases of the attack failed, including attempts to gather user account credentials via an LSASS dump, download data from the attacker's C2 infrastructure, and attempts to change policies across the compromised servers.
CISA said it's highly likely that the attackers accessed the ColdFusion seed value and encryption method used to encrypt passwords - a method that can also be used to decrypt them.
That said, no malicious code was found on the victim server to indicate any decryption was attempted using those seed values.
The second incident began on June 26 and saw miscreants connect via a malicious IP address that resolves to a legitimate public cloud service.
They checked running processes to learn about the web server and its operating system, and scanned for ColdFusion version 2018 and version 2016 - an older EOL version that's also vulnerable to the flaw.
Attackers were observed traversing the filesystem and deleting logs to evade detection.
They then made HTTP POST requests to a ColdFusion configuration file and analysis showed evidence of malicious code that is designed to execute on ColdFusion versions 9 and below.
CISA went on to report that the malicious code was unable to decrypt any passwords because it was designed for ColdFusion versions 8 and older, where the seed value was hardcoded.
The FCEB agency in question was running a newer version, so password decryption wasn't achieved in this way.
Other stages of the attack, like the attacker's attempts to hide their web shell, also failed to execute as intended.


This Cyber News was published on go.theregister.com. Publication date: Tue, 05 Dec 2023 18:28:05 +0000


Cyber News related to CISA reveals how fed agency succumbed to ColdFusion attacks The Register

CISA reveals how fed agency succumbed to ColdFusion attacks The Register - CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability. The vulnerability, tracked as CVE-2023-26360, was disclosed in March ...
10 months ago Go.theregister.com
CISA pledges to resolve issues with threat sharing system after watchdog report - On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law. The nation’s ...
1 week ago Therecord.media
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
4 months ago Securityaffairs.com
Hackers breach US govt agencies using Adobe ColdFusion exploit - The U.S. Cybersecurity and Infrastructure Security Agency is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows ...
10 months ago Bleepingcomputer.com
CISA: Hackers Use ColdFusion Flaw to Breach Federal Agency - A security flaw in Adobe's ColdFusion application development tool that was patched in March continues to be a headache for organizations running unpatched versions of the product. This week, the U.S. Cybersecurity and Infrastructure Security Agency ...
10 months ago Securityboulevard.com
CISA: Threat Actor Breached Federal Systems via Adobe ColdFusion Flaw - An unidentified threat actor or threat actors gained access to two public facing Web servers at a US federal government agency earlier this year by exploiting a critical but previously patched vulnerability in Adobe ColdFusion. The intrusions appear ...
10 months ago Darkreading.com
CISA's OT Attack Response Team Understaffed: GAO - The US Government Accountability Office has conducted a study focusing on the operational technology cybersecurity products and services offered by CISA and found that some of the security agency's teams are understaffed. OT environments continue to ...
6 months ago Securityweek.com
CISA: Adobe ColdFusion flaw leveraged to access government servers - Unknown attackers have leveraged a critical vulnerability in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency has shared. CVE-2023-26360 is a deserialization of ...
10 months ago Helpnetsecurity.com
CISA confirms compromise of its Ivanti systems - CISA confirmed two of its internal systems were breached by a threat actor that exploited flaws in Ivanti products used by the U.S. cybersecurity agency. Ivanti on Jan. 10 disclosed two zero-day vulnerabilities that were under exploitation by a ...
7 months ago Techtarget.com
Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
6 months ago Go.theregister.com
Hackers Exploit Adobe ColdFusion Flaw to Hack Government Servers - A recent cybersecurity advisory from CISA has brought to light a formidable cyber onslaught, revealing an alarming breach where faceless hackers capitalized on a critical vulnerability within Adobe ColdFusion. This exploit targeted government ...
10 months ago Cybersecuritynews.com
Enabling Threat-Informed Cybersecurity: Evolving CISA's Approach to Cyber Threat Information Sharing - One of CISA's most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange ...
9 months ago Cisa.gov
Adobe Coldfusion vulnerability used in attacks on government servers - The Cybersecurity and Infrastructure Security Agency put out a Cybersecurity Advisory to alert government agencies about cybercriminals using a vulnerability in Adobe Coldfusion to gain initial access to servers. Adobe ColdFusion is a platform for ...
10 months ago Malwarebytes.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
10 months ago Cisa.gov
CISA Finalizes Microsoft 365 Secure Configuration Baselines - When CISA initiated its Secure Cloud Business Applications project, our goal was to elevate the federal government's baseline for email and cloud environments by optimizing the security capabilities available within widely used products and services ...
9 months ago Cisa.gov
CISA: Thousands of bugs remediated in second year of vulnerability disclosure program - With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and ...
1 week ago Therecord.media
Adobe ColdFusion Vulnerability Exploited in Attacks on US Government Agency - The US cybersecurity agency CISA on Tuesday published an alert to warn organizations about the exploitation of an Adobe ColdFusion vulnerability. In August, cybersecurity firm Rapid7 said it had seen multiple attacks leveraging the ColdFusion ...
10 months ago Securityweek.com
Adobe ColdFusion Vulnerability Exploited in Attacks on US Government Agency - The US cybersecurity agency CISA on Tuesday published an alert to warn organizations about the exploitation of an Adobe ColdFusion vulnerability. In August, cybersecurity firm Rapid7 said it had seen multiple attacks leveraging the ColdFusion ...
10 months ago Packetstormsecurity.com
CISA Sells Private Sector on CIRCIA Reporting Rules - RSA CONFERENCE 2024 - San Francisco - The Cybersecurity and Infrastructure Security Administration has tagged an additional 30 days onto the window for the private sector to provide feedback on proposed Cyber Incident Reporting for Critical ...
5 months ago Darkreading.com
Securing Tomorrow: A Recap of CISA's Cyber Resilient 911 Symposium - CISA's Emergency Communications Division spearheaded the Cyber Resilient 911 Program's fourth regional symposium, which included CISA Regions 5 and 7. Among the attendees were state 911 administrators, representatives from 911 centers, IT/cyber ...
4 months ago Cisa.gov
Cisco Defense Orchestrator's Path to FedRAMP Authorization - Today I'd like to shed some light on the status and processes involved for one of these solutions as it moves forward on achieving FedRAMP® Authorization-Cisco Defense Orchestrator. Moving forward on FedRAMP. Cisco has made great progress in moving ...
4 months ago Feedpress.me
CISA Reports Federal Agencies Hacked Using Legitimate Remote Desktop Tools - The Cybersecurity and Infrastructure Security Agency (CISA), the agency in charge of overseeing the security of the United States government’s networks and critical infrastructure, has issued an alert warning federal agencies to beware of hackers ...
1 year ago Bleepingcomputer.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)