The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical vulnerability in Adobe ColdFusion [2], known as CVE-2023-26360 [1] [2] [3] [4]. This vulnerability has been actively exploited by attackers, posing a significant threat to government servers and potentially leading to data exfiltration, system manipulation [3], and lateral movement within networks [3].
Description
The attackers have specifically targeted public-facing web servers running outdated versions of ColdFusion [3]. Limited attacks between June and July 2023 have confirmed the exploitation of this vulnerability, compromising at least two public-facing servers [5]. CISA has classified this exploit as a Known Exploited Vulnerability (KEV), indicating evidence of active exploitation in the wild [2].
To assist network defenders [6], CISA has issued a Cybersecurity Advisory (CSA) that provides tactics, techniques [5] [7] [8], and procedures (TTPs) [5] [7], indicators of compromise (IOCs) [1] [5] [7] [8], and methods to detect and protect against similar exploitation [5] [8]. Network defenders and critical infrastructure organizations are advised to review the advisory and enhance their cybersecurity measures [6]. Additionally, software manufacturers are encouraged to incorporate secure-by-design principles into their development practices [6].
Adobe ColdFusion CVE-2023-26360 is a deserialization vulnerability that allows for remote code execution [7]. Adobe released a patch for this vulnerability in March 2023 [7], acknowledging limited attacks exploiting it. The affected versions of ColdFusion are 2021, 2018, 2016 [2] [7], and 11 [7], with patches provided only for the first two [7].
The attackers exploited the vulnerability to upload encrypted files that were decoded into web shells [1], enabling them to execute commands on the server [1]. In one incident [1] [4], the attackers dropped various utilities [1], including a cookie exporting DLL file and a network resource scanner [1]. They also attempted to decrypt passwords for ColdFusion data sources [1].
In the second incident [1], the attackers employed advanced reconnaissance tactics to gather information about domain trusts and administrative accounts [1]. They also attempted to exfiltrate system registry hives and dumped the memory of the local security authority subsystem service [1]. The attackers accessed the ColdFusion seed.properties file [1], which stores the unique seed used to encrypt passwords [1].
CISA provides indicators of compromise and mitigation instructions for organizations to protect against similar attacks on ColdFusion deployments [1].
Conclusion
The exploitation of the Adobe ColdFusion CVE-2023-26360 vulnerability poses significant risks to government servers and networks. It is crucial for network defenders and critical infrastructure organizations to review the provided Cybersecurity Advisory and enhance their cybersecurity measures accordingly.
The attacks highlight the importance of promptly applying security patches and updates. Software manufacturers should prioritize incorporating secure-by-design principles into their development practices to prevent such vulnerabilities.
By following the mitigation instructions and indicators of compromise provided by CISA, organizations can protect their ColdFusion deployments and mitigate the potential impacts of similar attacks in the future.
References
[1] https://www.csoonline.com/article/1251480/attackers-breach-us-government-agencies-through-coldfusion-flaw.html
[2] https://thehackernews.com/2023/12/hackers-exploited-coldfusion.html
[3] https://cybersecuritynews.com/hackers-exploit-adobe-coldfusion-flaw/
[4] https://vulnera.com/newswire/critical-adobe-coldfusion-exploit-used-to-breach-u-s-government-servers/
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
[6] https://www.cisa.gov/news-events/alerts/2023/12/05/cisa-releases-advisory-threat-actors-exploiting-cve-2023-26360-vulnerability-adobe-coldfusion
[7] https://www.helpnetsecurity.com/2023/12/06/cve-2023-26360-government-servers/
[8] https://www.waterisac.org/portal/cisa-releases-advisory-threat-actors-exploiting-cve-2023-26360-vulnerability-adobe-coldfusion
