CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability.
The vulnerability, tracked as CVE-2023-26360, was disclosed in March and was shortly after added to CISA’s known exploited vulnerability (KEV) catalog, setting an April 5 deadline for agencies to fix the issue.
In a Tuesday advisory, CISA revealed the federal civilian executive branch (FCEB) in question was successfully attacked in June and into July, meaning the vulnerability went unpatched for more than three months after CISA’s deadline.
CISA did not respond to questions about whether the agency has now patched the vulnerability, who was behind the attack, or its stance on the missed deadline.
Analysis of logs revealed the two servers identified as compromised were attacked in what appears to be two separate attacks. In both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs, CISA said.
“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.”
The cybersecurity agency is unable to confirm whether data was stolen by the intruders in either incident. It’s believed both campaigns were designed as reconnaissance efforts to understand the broader network, although CISA also declined to say if the two attacks were linked to the same operators.
The first incident began on June 2 when attackers gained an initial foothold on the server by exploiting CVE-2023-26360. They performed various reconnaissance tasks, like collecting details about local and domain admin accounts, as well as efforts to gather network configuration, time logs, and query user information.
Attackers then dropped a remote access trojan (RAT), a modified version of the ByPassGodzilla web shell code, before establishing persistence.
However, other phases of the attack failed, including attempts to gather user account credentials via an LSASS dump, download data from the attacker’s C2 infrastructure, and attempts to change policies across the compromised servers. Their attempts to exfiltrate registry files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar were also stopped by Windows.
“Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) information to .zip files,” the advisory read.
“The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.”
CISA said it’s highly likely that the attackers accessed the ColdFusion seed value and encryption method used to encrypt passwords – a method that can also be used to decrypt them. That said, no malicious code was found on the victim server to indicate any decryption was attempted using those seed values.
Double trouble
The second incident began on June 26 and saw miscreants connect via a malicious IP address that resolves to a legitimate public cloud service. After exploiting CVE-2023-26360, they checked running processes to learn about the web server and its operating system, and scanned for ColdFusion version 2018 and version 2016 – an older EOL version that’s also vulnerable to the flaw.
Attackers were observed traversing the filesystem and deleting logs to evade detection. They then made HTTP POST requests to a ColdFusion configuration file and analysis showed evidence of malicious code that is designed to execute on ColdFusion versions 9 and below.
CISA said this code “was inserted with the intent to extract username, password, and data source uniform resource locators (URLs).”
“According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g. by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.”
CISA went on to report that the malicious code was unable to decrypt any passwords because it was designed for ColdFusion versions 8 and older, where the seed value was hardcoded.
The FCEB agency in question was running a newer version, so password decryption wasn’t achieved in this way. Other stages of the attack, like the attacker’s attempts to hide their web shell, also failed to execute as intended. ®