A recent attack levied against servers running out-of-date Adobe software sheds some light on how threat actors are currently trying to exploit systems and deploy ransomware. In this recent attack, which took place in September and early October, the threat actors hoped to gain access to Windows servers and, subsequently, deploy ransomware payloads. While the attack wasn't successful, lessons must be learned here. According to an analysis by Sophos researchers who uncovered the attack, the threat actor was trying to deploy ransomware created using leaked source code from the family of ransomware known as LockBit 3.0. The attackers likely chose the LockBit 3.0 ransomware family because of its speed and effectiveness. In this incident, the attacker didn't implement new techniques but targeted old and unsupported ColdFusion version 11 software. How attackers gained entry and tried to escalate access. While it's known that the attack kicked off by exploiting a vulnerability in ColdFusion 11, because the network connection telemetry was not available, researchers could not identify the precise vulnerability exploited. Following the trail of telemetry left behind, the Sophos researchers found the attackers had left directory listings enabled on the web server hosting their repository of tools. "Within it, we discovered all the artifacts the attacker had attempted to deploy in the customer environment-as well as the final ransomware payload that the attacker intended to deploy, also sourced from the repository," the researchers noted. According to Sophos, the ransomware variant carries a ransom note that credits "BlackDogs 2023" as the threat actor and appears to be a new family of ransomware with a possible link to the leaked Lockbit 3.0 source code. With several vulnerabilities exploited over the past year, Adobe's ColdFusion software remains a frequent target. Most recently, ColdFusion came under fire by a Known Exploited Vulnerability affecting Adobe ColdFusion versions 2018u18, 2021u8, and 2023u2 and earlier. The vulnerabilities include "An Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction," according to this CVE entry. When using old software that is no longer supported, organizations set themselves up to be attacked and the victims of a successful attack. Attackers will always seek ways to exploit unpatched systems, and when they find one, they will see if they can take advantage of the situation. In this incident, the EDR detected and blocked the attack and prevented the ransomware from being deployed on the system. This serves as a reminder for organizations to use currently supported software, keep those systems up to date, and invest in security controls that will detect and mitigate attacks. In conclusion, this failed attack against ColdFusion servers reveals a lot about the current state of ransomware. Threat actors continually refine their tactics and seek new vulnerabilities to exploit.
This Cyber News was published on www.scmagazine.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000