CISA: Threat Actor Breached Federal Systems via Adobe ColdFusion Flaw
Adobe patched CVE-2023-26360 in March amid active exploit activity targeting the flaw.
December 6, 2023
An unidentified threat actor or threat actors gained access to two public facing Web servers at a US federal government agency earlier this year by exploiting a critical but previously patched vulnerability in Adobe ColdFusion.
The intrusions appear to have been part of a reconnaissance attempt by the attackers to map out the agency's broader network, but there's no evidence of data exfiltration or lateral movement on the compromised network, the US Cybersecurity and Infrastructure Security Agency (CISA) said this week.
Two Intrusions
In an advisory, the agency described the attacks as taking place in June and July and involving CVE-2023-26360, an improper access control vulnerability that enables remote code execution on affected systems. The vulnerability affects multiple ColdFusion versions, including end-of-life versions that Adobe no longer supports. Adobe gave the vulnerability a severity score of 8.6 out of 10 on the CVSS scale, making it a high to critical severity threat in the company's opinion.
Adobe disclosed — and patched — the vulnerability in March amid what the vendor said were reports of attackers actively exploiting the flaw in the wild in a "very limited" number of attacks. It was one of two critical vulnerabilities that Adobe revealed in the same advisory — the other was CVE-2023-26359 — a deserialization of untrusted data flaw that enables arbitrary code execution. Shortly after Adobe's March disclosure, CISA added CVE-2023-26360 to its catalog of Known Exploited Vulnerabilities (KEV), citing the "significant risks" the vulnerability posed to federal agencies. CISA later added CVE-2023-26359 to its KEV as well amid reports of active attacks targeting the flaw.
Adobe ColdFusion is a proprietary — and what many would consider as a legacy — platform for building Web and mobile apps. Though less popular than it was years ago, many organizations still use the technology. Adobe itself claims that 60% of Fortune 500 companies currently use ColdFusion for Web application development.
Reconnaissance Activity?
According to the CISA, the intrusions at the federal agency in June and July involved servers running legacy, unsupported versions of ColdFusion.
In the June incident, the threat actor exploited CVE-2023-26360 on a server running Adobe ColdFusion v2016.0.0.3. After gaining initial access, the threat actor enumerated all currently running processes on the system and performed a network connectivity check, presumably to confirm their ability to communicate with the compromised server. The attackers also attempted to gather other information about the Web server and its operating system and used HTTP POST requests to inject malware for extracting username, password, data source URLs, and other information that they could use in subsequent attacks, CISA said.
In the other attack, the same or a different threat actor exploited CVE-2023-26360 to breach a different Web server at the same federal agency — this one running a different version of ColdFusion. After breaching the system, the threat actor explored opportunities for lateral movement on the compromised network and collected a range of information about local- and domain-level administrative accounts. The attacker also conducted network and host reconnaissance in an attempt to collect network configuration information, time logs, and user information. As with the other incident, the threat actor used HTTP POST commands to drop malicious code — including a remote access Trojan — on the breached server.
"In both incidents, Microsoft Defender for Endpoint (MDE), alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency's pre-production environment," CISA said.
Challenges With Securing Legacy Systems
John Gallagher, vice president of Viakoo Labs at Viakoo, says while CVE-2023-26360 is a serious vulnerability, the fact that it impacts servers that otherwise can be monitored and acted on by traditional cybersecurity solutions is a consolation. "For example, in the incidents mentioned, traditional security solutions kicked in to prevent successful execution of code and enabling it to be identified as malicious and appropriately quarantined."
Generally, legacy commercial software technologies such as ColdFusion are attractive targets for attackers for multiple reasons, says Callie Guenther, senior manager, cyber threat research at Critical Start. These include a relative lack of updates and support; high prevalence in enterprise organization; and a perception among attackers that these systems are likely less monitored and protected than more state-of-the-art systems. Maintaining a secure posture around these systems can be challenging because of the difficulties involved in integrating modern security tools with legacy systems, potential disruptions when upgrading or replacing these technologies, and a dwindling supply of people that are familiar with the technologies, he says.
"The exploitation of CVE-2023-26360 in Adobe ColdFusion, particularly in versions that are no longer supported, underscores these risks and challenges," Guenther says. "It highlights the importance of regular software updates, robust security measures, and transitioning away from unsupported legacy systems to mitigate vulnerabilities and potential cyber threats."
About the Author
You May Also Like