6 December 2023

Hackers exploiting Adobe ColdFusion bug to breach government servers


Hackers exploiting Adobe ColdFusion bug to breach government servers

Threat actors leveraged a vulnerability in popular Adobe software to compromise servers at two US federal agencies, the US cybersecurity agency warned.

The unidentified attackers exploited CVE-2023-26360, an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The flaw also impacts no longer supported ColdFusion 2016 and ColdFusion 11 versions.

Adobe ColdFusion is a Java-based application server and a platform for building and deploying web and mobile applications.

The Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that the attacks took place in June 2023 and in both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs.

“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment,” CISA said.

In one of the incidents, the hackers compromised a publicly accessible web server running Adobe ColdFusion v2016.0.0.3 via CVE-2023-26360. They then initiated process enumeration to retrieve information on currently active processes on the targeted web server. The threat actors traversed the filesystem and uploaded various artifacts to the web server.

In a separate incident, the threat actors gained an initial foothold on another public-facing web server running Adobe ColdFusion v2021.0.0.2. The adversaries gathered information about local and domain administrative user accounts during the reconnaissance phase.

The threat actors were observed deploying a remote access trojan (RAT) featuring a JavaScript loader for device infection.

CISA believes that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. The agency said it has no evidence that the attackers were able to exfiltrate data or move laterally. It’s unclear if the same threat actor is behind both incidents.

Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
Popular Posts
Featured vulnerabilities
HP-UX update for Tomcat
High Patched | 16 Sep, 2024
Multiple vulnerabilities in HPE OneView
Medium Patched | 16 Sep, 2024
Multiple vulnerabilities in HPE NonStop Vrtual Tape Repository (VTR)
High Patched | 16 Sep, 2024
F5 Traffix SDC update for Perl CPAN
Medium Patched | 16 Sep, 2024
Deserialization of Untrusted Data in Cleanlab
High Not Patched | 16 Sep, 2024