Threat actors leveraged a vulnerability in popular Adobe software to compromise servers at two US federal agencies, the US cybersecurity agency warned.
The unidentified attackers exploited CVE-2023-26360, an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The flaw also impacts no longer supported ColdFusion 2016 and ColdFusion 11 versions.
Adobe ColdFusion is a Java-based application server and a platform for building and deploying web and mobile applications.
The Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that the attacks took place in June 2023 and in both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs.
“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment,” CISA said.
In one of the incidents, the hackers compromised a publicly accessible web server running Adobe ColdFusion v2016.0.0.3 via CVE-2023-26360. They then initiated process enumeration to retrieve information on currently active processes on the targeted web server. The threat actors traversed the filesystem and uploaded various artifacts to the web server.
In a separate incident, the threat actors gained an initial foothold on another public-facing web server running Adobe ColdFusion v2021.0.0.2. The adversaries gathered information about local and domain administrative user accounts during the reconnaissance phase.
The threat actors were observed deploying a remote access trojan (RAT) featuring a JavaScript loader for device infection.
CISA believes that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. The agency said it has no evidence that the attackers were able to exfiltrate data or move laterally. It’s unclear if the same threat actor is behind both incidents.