CISA Alerts on Breach Using ColdFusion Flaw to Access Federal Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning concerning the exploitation of a critical Adobe ColdFusion vulnerability by unidentified cyber threat actors. These actors utilized the vulnerability, identified as CVE-2023-26360, to breach the security of a federal agency’s servers, gaining initial access between June and July 2023.

The flaw, categorized as an improper access control issue, enables the execution of arbitrary code once exploited. Specifically affecting ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions), the vulnerability has since been rectified in versions Update 16 and Update 6, respectively, released on March 14, 2023.

CISA promptly added this exploit to its Known Exploited Vulnerabilities (KEV) catalog, highlighting evidence of active exploitation in the wild. Despite Adobe’s acknowledgment of the flaw being used in limited attacks, the agency reported the compromise of at least two public-facing servers, both operating on outdated software versions.

During these breaches, the attackers carried out various actions, including the deployment of malware via HTTP POST commands, allowing them to infiltrate the ColdFusion directory path. Additionally, reconnaissance efforts were noticed, wherein the threat actors attempted to map the network without evidence of lateral movement or data extraction.

In specific incidents, the attackers were observed navigating the system, uploading multiple artifacts including binaries capable of accessing web browser cookies and decrypting ColdFusion data source passwords. Furthermore, a modified version of the ByPassGodzilla web shell, acting as a remote access trojan, was deployed to interact with an actor-controlled server.

Despite attempts to exfiltrate Windows Registry files and download data from a command-and-control server, no successful data breach was confirmed. However, the threat actors were found to have potentially accessed the ColdFusion seed properties file, containing encryption methods and seed values for passwords. Fortunately, no evidence of attempts to decode passwords using this information was discovered.

The incidents underscore the severity of the ColdFusion vulnerability and the necessity for prompt software updates to mitigate potential security risks, especially within critical systems handling sensitive data.

To prevent such breaches, it’s crucial to regularly update software to the latest versions and apply security patches promptly. Additionally, implementing robust access controls and conducting routine security audits can fortify defenses against potential vulnerabilities.