A critical vulnerability in Adobe ColdFusion, a software for creating and deploying network applications, was identified and fixed back in March. However, in June, hackers successfully used it, breaking into the servers of two government agencies.
Everyone knew, but the problem wasn't solved
A vulnerability in Adobe ColdFusion caused two hacks of government agencies in the United States.
The critical "bug" that received the CVE-2023-26360 index opens the possibility for running arbitrary code on a server where ColdFusion is installed no later than versions 2018 Update 15 and 2021 Update 5.
The vulnerability was fixed in March 2023, shortly after it became known about attacks using it. Versions of CF 2018 Update 16 and later and CF 2021 Update 6 and later are considered safe.
At the same time, in March, the US Cybersecurity and Critical Infrastructure Protection Agency (CISA) issued a bulletin describing the problem. In accordance with its authority, the CISA also ordered US government agencies to install updates to ColdFusion by April 5.
However, the other day CISA again published material on the old vulnerability. It indicates that CVE-2023-26360 is still being successfully exploited by attackers, and that in June two incidents occurred at once, as a result of which US government agencies were affected.
In both cases, the publication says, the Microsoft Defender for Endpoint (MDE) antivirus solution signaled the likely exploitation of a vulnerability on public servers "in pre-production environments" of affected agencies.
The attacked servers used various outdated software that contained many other vulnerabilities.
Intelligence attacks
The first (by time) incident was registered on June 2: attackers hacked a server running Adobe ColdFusion 2021.0.0.2, after which they collected data about user accounts and installed a Trojan for remote management. After that, they tried to extract data from the system registry and account security manager, and also tried to use the available information security tools to gain access to SYSVOL, a special directory present in each domain controller.
On June 26, attackers used CVE-2023-26360 to break into a server running Adobe ColdFusion version 2016.0.0.3.A web shell was installed on the vulnerable server, thanks to which malicious code was embedded in the ColdFusion settings file. The attackers also obtained an administrative username and password.
Later, hackers successfully deleted the files used in the attacks, which allowed them to hide their presence. They also created new files in the directory C:\IBM this provided additional disguise: in particular, a network scanner was launched from this folder, which hackers used to study the environment.
In both cases, however, the attacks were detected and blocked before the attackers extracted any data and penetrated deeper into the agency's subnets. The CISA also indicated that all compromised assets were removed from key networks within 24 hours.
"Back in March, CISA ordered government agencies to install fixes by April 5, but the attacks described occurred in June, which means that CISA's instructions were ignored," says Anastasia Melnikova, Director of Information Security at SEQ. According to her, the vendor has released the necessary fixes and the agency responsible for informing and coordinating the installation of software updates has issued all the appropriate bulletins. "Now all responsibility lies with those institutions that did not take the time to correct the situation. Apparently, someone will be fired, " Anastasia Melnikova summed up.
According to CISA, these attacks were purely intelligence-based. It remains unknown whether the same hacker group acted in both cases, or whether they were different actors.
The new CISA guidelines suggest updating ColdFusion to the latest versions, as well as debugging network segmentation, installing firewalls, and configuring security policies so that only signed software can run.
Everyone knew, but the problem wasn't solved
A vulnerability in Adobe ColdFusion caused two hacks of government agencies in the United States.
The critical "bug" that received the CVE-2023-26360 index opens the possibility for running arbitrary code on a server where ColdFusion is installed no later than versions 2018 Update 15 and 2021 Update 5.
The vulnerability was fixed in March 2023, shortly after it became known about attacks using it. Versions of CF 2018 Update 16 and later and CF 2021 Update 6 and later are considered safe.
At the same time, in March, the US Cybersecurity and Critical Infrastructure Protection Agency (CISA) issued a bulletin describing the problem. In accordance with its authority, the CISA also ordered US government agencies to install updates to ColdFusion by April 5.
However, the other day CISA again published material on the old vulnerability. It indicates that CVE-2023-26360 is still being successfully exploited by attackers, and that in June two incidents occurred at once, as a result of which US government agencies were affected.
In both cases, the publication says, the Microsoft Defender for Endpoint (MDE) antivirus solution signaled the likely exploitation of a vulnerability on public servers "in pre-production environments" of affected agencies.
The attacked servers used various outdated software that contained many other vulnerabilities.
Intelligence attacks
The first (by time) incident was registered on June 2: attackers hacked a server running Adobe ColdFusion 2021.0.0.2, after which they collected data about user accounts and installed a Trojan for remote management. After that, they tried to extract data from the system registry and account security manager, and also tried to use the available information security tools to gain access to SYSVOL, a special directory present in each domain controller.
On June 26, attackers used CVE-2023-26360 to break into a server running Adobe ColdFusion version 2016.0.0.3.A web shell was installed on the vulnerable server, thanks to which malicious code was embedded in the ColdFusion settings file. The attackers also obtained an administrative username and password.
Later, hackers successfully deleted the files used in the attacks, which allowed them to hide their presence. They also created new files in the directory C:\IBM this provided additional disguise: in particular, a network scanner was launched from this folder, which hackers used to study the environment.
In both cases, however, the attacks were detected and blocked before the attackers extracted any data and penetrated deeper into the agency's subnets. The CISA also indicated that all compromised assets were removed from key networks within 24 hours.
"Back in March, CISA ordered government agencies to install fixes by April 5, but the attacks described occurred in June, which means that CISA's instructions were ignored," says Anastasia Melnikova, Director of Information Security at SEQ. According to her, the vendor has released the necessary fixes and the agency responsible for informing and coordinating the installation of software updates has issued all the appropriate bulletins. "Now all responsibility lies with those institutions that did not take the time to correct the situation. Apparently, someone will be fired, " Anastasia Melnikova summed up.
According to CISA, these attacks were purely intelligence-based. It remains unknown whether the same hacker group acted in both cases, or whether they were different actors.
The new CISA guidelines suggest updating ColdFusion to the latest versions, as well as debugging network segmentation, installing firewalls, and configuring security policies so that only signed software can run.
