The late installation of ColdFusion updates played a cruel joke with American organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) disclosed information about serious attacks on two public servers of the US federal agency. Criminals exploited a critical vulnerability in Adobe ColdFusion, designated as CVE-2023-26360.
The vulnerability was made public in March, and in April it was included in the CISA catalog of known exploited vulnerabilities, where US federal agencies were given until April 5 to fix it.
However, in June and July, it was revealed that the vulnerability was not fixed, primarily due to Adobe's fault, which allowed attackers to successfully attack vulnerable systems for a long time.
CISA did not provide information on whether the vulnerability was subsequently fully fixed, who was behind these attacks, and what the agency's official position is regarding the missed patch deadline.
As a result of the analysis of logs, it was revealed that federal servers were subjected to two separate attacks. Both of the attacked servers used outdated versions of ColdFusion and were vulnerable to several CVEs. Attackers initiated various commands on compromised servers, including using the vulnerability to download malware.
Although CISA cannot confirm whether the data was stolen, it is assumed that both attacks were aimed at intelligence to study the wider network. It is unclear whether these attacks are related to the same operators.
The first attack occurred on the second of June. Attackers gained access to the server using the CVE-2023-26360 vulnerability and performed various intelligence tasks. However, other phases of the attack, such as attempts to collect credentials and change policies on compromised servers, were unsuccessful.
The second violation occurred on June 26. Attackers exploited CVE-2023-26360 and spent a long time investigating the system. However, the malicious code could not decrypt passwords, as it was designed for older versions of ColdFusion.
CISA emphasizes that attackers most likely gained access to the seed value and the ColdFusion encryption method, which theoretically allows you to decrypt passwords. Despite this, no malicious code was found on the compromised server indicating decryption attempts using these values.
These incidents highlight the need for timely software updates to prevent such cyberattacks. Even if the software vendor can't immediately completely fix the security breach, they will do so in subsequent updates. That is why it is extremely important for administrators to quickly install any security updates. The principle of "it works – don't touch it" is absolutely not applicable here.
The Cybersecurity and Infrastructure Security Agency (CISA) disclosed information about serious attacks on two public servers of the US federal agency. Criminals exploited a critical vulnerability in Adobe ColdFusion, designated as CVE-2023-26360.
The vulnerability was made public in March, and in April it was included in the CISA catalog of known exploited vulnerabilities, where US federal agencies were given until April 5 to fix it.
However, in June and July, it was revealed that the vulnerability was not fixed, primarily due to Adobe's fault, which allowed attackers to successfully attack vulnerable systems for a long time.
CISA did not provide information on whether the vulnerability was subsequently fully fixed, who was behind these attacks, and what the agency's official position is regarding the missed patch deadline.
As a result of the analysis of logs, it was revealed that federal servers were subjected to two separate attacks. Both of the attacked servers used outdated versions of ColdFusion and were vulnerable to several CVEs. Attackers initiated various commands on compromised servers, including using the vulnerability to download malware.
Although CISA cannot confirm whether the data was stolen, it is assumed that both attacks were aimed at intelligence to study the wider network. It is unclear whether these attacks are related to the same operators.
The first attack occurred on the second of June. Attackers gained access to the server using the CVE-2023-26360 vulnerability and performed various intelligence tasks. However, other phases of the attack, such as attempts to collect credentials and change policies on compromised servers, were unsuccessful.
The second violation occurred on June 26. Attackers exploited CVE-2023-26360 and spent a long time investigating the system. However, the malicious code could not decrypt passwords, as it was designed for older versions of ColdFusion.
CISA emphasizes that attackers most likely gained access to the seed value and the ColdFusion encryption method, which theoretically allows you to decrypt passwords. Despite this, no malicious code was found on the compromised server indicating decryption attempts using these values.
These incidents highlight the need for timely software updates to prevent such cyberattacks. Even if the software vendor can't immediately completely fix the security breach, they will do so in subsequent updates. That is why it is extremely important for administrators to quickly install any security updates. The principle of "it works – don't touch it" is absolutely not applicable here.
