The US Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unknown threat actors to quickly gain access to government servers.
“The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,” CISA said, adding an unnamed federal agency was targeted between June and July 2023.
This vulnerability affects ColdFusion 2018 (Update 15 and older) and ColdFusion 2021 (Update 5 and older). This has been addressed in version Update 16 and Update 6 released on March 14, 2023, respectively.
It was added to the Known Exploited Vulnerabilities (KEV) list by CISA a day later, citing evidence of active exploitation in the wild. Adobe said in an advisory issued at the time that it was aware of the flaw, which was being exploited “in a very limited number of attacks.”
The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running older versions of the software.
“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” CISA noted.
There is evidence to suggest that the malicious activity is a reconnaissance effort undertaken to map the wider network, although no lateral movement or data infiltration has been observed.
In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources.
A second event recorded in early June 2023 entailed the deployment of a remote access trojan that’s a modified version of the ByPassGodzilla web shell and “utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.”
The adversary also unsuccessfully attempted to extract Windows registry files as well as download data from the command-and-control (C2) server.
“During this incident, analysis strongly suggests that threat actors may have accessed data contained in the ColdFusion seed.properties file through a web shell interface,” CISA said.
“The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file.”