Unknown attackers exploited a known access control vulnerability in two Adobe ColdFusion application servers at a federal government agency in June, gaining access to the environment, uploading a webshell, and adding malicious code to the servers.
There were two separate incidents at the unnamed agency in June, and according to a new advisory from the Cybersecurity and Infrastructure Security Agency the attacks may be the work of one group or two separate groups. The intrusions appeared to be focused on reconnaissance and mapping out the network infrastructure, and CISA said there is no evidence that data was exfiltrated during the intrusions. In both instances, the attackers exploited CVE-2023-26360 in ColdFusion, a bug that Adobe released a fix for in March.
“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” the CISA advisory says.
In the earlier of the two intrusions, attackers exploited the ColdFusion bug and then started collecting information about local and domain administrator accounts and looking for lateral movement opportunities. The attackers then dropped a small JavaScript loader that communicates with the attackers’ C2 server. They then tried to exfiltrate several registry files. Interestingly, the attackers also used the web shell they installed on the server to view the contents of the seed.properties file on the ColdFusion server, which holds the seed value and encryption method for encrypting passwords.
In the second incident, the attackers also performed some reconnaissance and network connectivity checks once they had access to the ColdFusion server. They then uploaded a web shell and added some malicious code to config.cfm, a configuration file on the server.
“Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin,” the CISA advisory says.
In the second intrusion, the attackers also added some code that was meant to decrypt passwords for some ColdFusion data sources, although this failed because the affected server was running a newer version of the software.
“The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older,” the advisory says.
The CioldFusion vulnerability affects several versions of the software, including 2018 and 2021, as well as end-of-life versions such as 2016 and 11.