Exploitation of Adobe ColdFusion Vulnerability

Details on CVE-2023-26360, patched in March 2023

The cybersecurity community was put on high alert when Adobe revealed the existence of a significant vulnerability in ColdFusion, its widely used web application development platform. Tracked as CVE-2023-26360, this flaw was known to have been exploited in the wild, prompting Adobe to release a patch in March 2023. As the company disclosed at the time, the vulnerability was being used in "very limited attacks," but a potential wider misuse was also noted.

Notice of potential widespread exploitation by Rapid7

Rapid7, a cybersecurity firm, reported observing multiple attacks leveraging the aforementioned Adobe vulnerability. This report, released in August 2023, raised concerns regarding the likelihood of extensive flaw exploitation. The cybersecurity community was prompted to heighten vigilance following the revelation that the attacks were not as limited as initially deemed by Adobe.

Disclosure by CISA of Exploitation in US Federal Agency Attack

In a surprising twist, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory indicating that CVE-2023-26360 had been exploited as part of attacks on a US federal agency. CISA revealed that these attacks that took place in June were targeted at servers belonging to a federal civilian executive branch. This is indeed a testament to the harm such vulnerabilities can inflict on large-scale and high-stakes entities.

Perpetrators leveraged the flaw to establish a foothold in agency systems

According to CISA, threat actors exploited the vulnerability to establish an initial foothold on two agency systems during two separate instances. The flaw was leveraged to access web servers hosted in the victim's pre-production environment. Employing HTTP POST commands, the attackers could drop malware to the directory path associated with ColdFusion. However, CISA clarifies that there's no evidence suggesting successful data exfiltration or lateral movement within the network during either incident.

Attack Process and Aftermath

Initial incidents occurring in early and late June

In two distinct attacks in early and late June, threat actors successfully utilized the Adobe ColdFusion vulnerability, CVE-2023-26360. The exploited servers, belonging to a federal agency, were running unsupported versions of ColdFusion, thus failing to have the critical security patches necessary to mitigate the threat from this flaw. It is unknown whether the same threat actors were responsible for both breaches.

Targeting of pre-production environment web servers with outdated software

The threat actors targeted web servers within the pre-production environment of the victim agency. These servers, unfortunately, ran outdated versions of the software, which were affected by several vulnerabilities. Adobe ColdFusion v2016.0.0.3 was the legacy version utilized in the earlier breach in June. In the subsequent breach, a different server, which was also running an older version of ColdFusion, was compromised.

Use of flaw to drop malware using HTTP POST commands to directory path associated with ColdFusion

Leveraging the ColdFusion flaw, the perpetrators were able to deliver malware to the server using HTTP POST commands. These commands targeted the directory path linked with ColdFusion, allowing the attackers to implant their malware effectively. This process gave them illicit access to sensitive details such as usernames, passwords, and data source URLs, which were invaluable for future attacks. In both instances, the attackers repeated this process, using HTTP POST commands to drop malevolent code, including a remote access Trojan on the compromised servers.

Suggestion of reconnaissance effort by attackers with no evidence of successful data exfiltration or lateral movement

Subsequent evaluation of the attacks pointed towards the primarily reconnaissance-oriented efforts of the attackers. After gaining an initial foothold, they engaged in system enumeration, network and host reconnaissance, customer mapping, and information collection about local and domain-level administrative accounts. Despite their investigative activities and the planting of malicious code, there was no confirmed successful data exfiltration or lateral movement within either of the compromised systems.

CISA's Response and Advisory

Description of threat actors as "unidentified"

In the aftermath of the compromised servers where the Adobe ColdFusion vulnerability was exploited, CISA held back from specifically identifying the threat actors involved. The cybersecurity agency chose to refer to them as "unidentified" in their advisory. When TechCrunch sought additional information regarding the potential identity of the perpetrators, CISA spokesperson Antonio Soliz declined to comment, underscoring the agency's decision to refrain from disclosure.

Advisory issued on exploitation techniques, indicators of compromise, and protection measures

In response to the exploitation of the Adobe ColdFusion vulnerability, CISA issued a dedicated cybersecurity advisory to aid organizations in recognizing and preventing such attacks. The advisory provides detailed information on the tactics, techniques, and procedures used by the attackers and the known indicators of compromise. It is a valuable resource for organizations to enhance their cybersecurity against this threat. Microsoft Defender for Endpoint, Windows' native antivirus software, had alerted the agency to the potential exploitations and quarantined the threat during both cyberattacks. CISA also stressed the importance of maintaining updated software, as the exploited servers were running outdated and unsupported legacy versions of Adobe ColdFusion.

Lack of linkage to previously known threat groups

CISA has resisted speculation regarding the actors responsible for exploiting CVE-2023-26360, choosing not to connect the attacks to any known threat group. This stand aligns with the general approach taken by law enforcement and cybersecurity communities of withholding attribution until solid evidence is available. It also highlights the caution and confidentiality required in handling cybersecurity threats. The advisory report further underscores that the two reported cyberattacks could not be conclusively established as being perpetrated by the same hackers.

Exploits of other vulnerabilities in similar sectors

Exploiting the Adobe ColdFusion flaw is not an isolated incident; similar sectors have witnessed comparable breaches. Among them, Atlassian addressed four new Remote Code Execution vulnerabilities in its products, and CISA added flaws found in Qualcomm's offerings to its Known Exploited Vulnerabilities catalog. In other alarming news, threat actors have also breached critical US government systems, underscoring the necessity for a robust security posture. CISA's proactive recommendations include swift software updating, particularly of vulnerabilities under active exploitation, secure configurations such as eradicating default passwords and implementing Single Sign-On technology, network segmentation, restricted file and directory permissions, and stringent NTLM authentication policy settings.