Federal Agency Servers Breached – ColdFusion Vulnerability (CVE-2023-26360) – Recent alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of a significant Adobe ColdFusion vulnerability by unidentified threat actors. This breach has allowed unauthorized access to government servers, with the affected period pinpointed between June and July 2023.
Identifying the Vulnerability (CVE-2023-26360): An Improper Access Control Concern
The vulnerability thats make Federal Agency Breached in question, identified as CVE-2023-26360 (more info here), is characterized by an improper access control issue, making it susceptible to arbitrary code execution. CISA highlighted that a specific federal agency fell victim to this cyber attack during the aforementioned time frame. – Even the Hackers also Breach other Government Servers Through ColdFusion Vulnerability.
Addressing the Flaw, Adobe’s Swift Response and Updates
The impact of this flaw extends to ColdFusion 2018 (Update 15 and earlier versions) as well as ColdFusion 2021 (Update 5 and earlier versions). Adobe promptly addressed the issue in versions Update 16 and Update 6, both released on March 14, 2023.
Adding urgency to the matter, CISA swiftly included this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, indicating tangible evidence of ongoing exploitation in the wild. Concurrently, Adobe acknowledged the situation in an advisory, stating awareness of the flaw being “exploited in the wild in very limited attacks.”
The Attack: Compromised Servers and Malicious Commands Lead to
Investigations by CISA revealed that the attackers compromised at least two public-facing servers, both running outdated ColdFusion software versions. Exploiting the identified vulnerability, threat actors executed various commands on these compromised servers, enabling them to drop malware through HTTP POST commands directed to the ColdFusion-associated directory path.
While the malicious activity appears to be centered around reconnaissance efforts aimed at mapping the broader network, no lateral movement or data exfiltration has been detected so far.
Malicious Operations: From File System Navigation to Trojan Deployment Lead to Federal Agency Servers Breach
In one incident, the adversaries were observed navigating the filesystem, uploading diverse artifacts to the web server. These included binaries capable of exporting web browser cookies and malware designed to decrypt passwords for ColdFusion data sources.
A separate event in early June 2023 involved the deployment of a remote access trojan—a modified version of the ByPassGodzilla web shell. This trojan utilized a JavaScript loader for infection and required communication with an actor-controlled server to carry out actions.
Additionally, the threat actors attempted to exfiltrate Windows Registry files and, unsuccessfully, to download data from a command-and-control (C2) server. CISA’s analysis strongly suggests that the threat actors likely accessed data in the ColdFusion seed.properties file through the web shell interface. This file contains seed values and encryption methods used for password encryption, though no malicious code was found indicating attempts to decode passwords using these values.
This cybersecurity breach serves as a stark reminder of the ongoing threats faced by federal agencies, highlighting the importance of promptly addressing and patching known vulnerabilities to safeguard critical information. – Federal Agency Servers Breached
