An unidentified threat actor or threat actors gained access to two public facing Web servers at a US federal government agency earlier this year by exploiting a critical but previously patched vulnerability in Adobe ColdFusion.
The intrusions appear to have been part of a reconnaissance attempt by the attackers to map out the agency's broader network, but there's no evidence of data exfiltration or lateral movement on the compromised network, the US Cybersecurity and Infrastructure Security Agency said this week.
Two Intrusions In an advisory, the agency described the attacks as taking place in June and July and involving CVE-2023-26360, an improper access control vulnerability that enables remote code execution on affected systems.
The vulnerability affects multiple ColdFusion versions, including end-of-life versions that Adobe no longer supports.
Adobe gave the vulnerability a severity score of 8.6 out of 10 on the CVSS scale, making it a high to critical severity threat in the company's opinion.
It was one of two critical vulnerabilities that Adobe revealed in the same advisory - the other was CVE-2023-26359 - a deserialization of untrusted data flaw that enables arbitrary code execution.
CISA later added CVE-2023-26359 to its KEV as well amid reports of active attacks targeting the flaw.
Adobe ColdFusion is a proprietary - and what many would consider as a legacy - platform for building Web and mobile apps.
Adobe itself claims that 60% of Fortune 500 companies currently use ColdFusion for Web application development.
In the June incident, the threat actor exploited CVE-2023-26360 on a server running Adobe ColdFusion v2016.
After gaining initial access, the threat actor enumerated all currently running processes on the system and performed a network connectivity check, presumably to confirm their ability to communicate with the compromised server.
The attackers also attempted to gather other information about the Web server and its operating system and used HTTP POST requests to inject malware for extracting username, password, data source URLs, and other information that they could use in subsequent attacks, CISA said.
In the other attack, the same or a different threat actor exploited CVE-2023-26360 to breach a different Web server at the same federal agency - this one running a different version of ColdFusion.
After breaching the system, the threat actor explored opportunities for lateral movement on the compromised network and collected a range of information about local- and domain-level administrative accounts.
The attacker also conducted network and host reconnaissance in an attempt to collect network configuration information, time logs, and user information.
As with the other incident, the threat actor used HTTP POST commands to drop malicious code - including a remote access Trojan - on the breached server.
Challenges With Securing Legacy Systems John Gallagher, vice president of Viakoo Labs at Viakoo, says while CVE-2023-26360 is a serious vulnerability, the fact that it impacts servers that otherwise can be monitored and acted on by traditional cybersecurity solutions is a consolation.
Generally, legacy commercial software technologies such as ColdFusion are attractive targets for attackers for multiple reasons, says Callie Guenther, senior manager, cyber threat research at Critical Start.
These include a relative lack of updates and support; high prevalence in enterprise organization; and a perception among attackers that these systems are likely less monitored and protected than more state-of-the-art systems.
Maintaining a secure posture around these systems can be challenging because of the difficulties involved in integrating modern security tools with legacy systems, potential disruptions when upgrading or replacing these technologies, and a dwindling supply of people that are familiar with the technologies, he says.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 06 Dec 2023 22:30:06 +0000