The exploitation of Adobe ColdFusion CVE-2023-26360 by threat actors targeting government servers has been a significant security concern. Here are key details from the Cybersecurity and Infrastructure Security Agency (CISA) advisory:
Confirmed Exploitation: Unidentified threat actors exploited the vulnerability at a Federal Civilian Executive Branch (FCEB) agency, impacting Adobe ColdFusion versions 2018 Update 15 and earlier, and 2021 Update 5 and earlier. This vulnerability could result in arbitrary code execution, and two public-facing servers were confirmed to be compromised between June and July 2023.
Initial Foothold and Reconnaissance Efforts: The threat actors established an initial foothold on agency systems through this vulnerability. They executed various commands on the compromised web servers, suggesting a reconnaissance effort to map the network. However, there was no evidence of successful data exfiltration or lateral movement.
Specific Incidents: In one instance, as early as June 26, 2023, attackers exploited CVE-2023-26360 on an Adobe ColdFusion v2016.0.0.3 server. In another, dated June 2, 2023, they targeted a server running Adobe ColdFusion v2021.0.0.2. These incidents involved reconnaissance and deploying a remote access trojan (RAT) using POST commands.
ColdFusion Seed.Properties File: Analysis suggests that the attackers accessed the ColdFusion seed.properties file, which contains encryption methods for passwords. However, there was no indication of them decoding passwords using this information.
These incidents underscore the critical importance of maintaining updated software versions and monitoring for potential vulnerabilities and exploits, especially in sensitive government infrastructure.
REFERENCES
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
- https://otx.alienvault.com/pulse/656f3c476dc909e3c448b786
TAGS
Adobe ColdFusion, CVE-2023-26360, HTTP, Internet Information Services (IIS), web shell
No comments:
Post a Comment