A security flaw in Adobe’s ColdFusion application development tool that was patched in March continues to be a headache for organizations running unpatched versions of the product.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said two public-facing web servers at an unnamed federal government agency were breached by one or two separate groups this summer, with the hackers moving through filesystems, planting malware – including a remote access trojan (RAT) – and viewed data through a web shell interface.

The attackers in both incidents exploited a vulnerability – tracked as CVE-2023-26360 – in the ColdFusion software, according to a CISA advisory released this week. The agency said the bad actors were able to get an initial foothold in the web servers through the flaw, though Microsoft’s Defender for Endpoint alerted the targeted agency to the intrusion into the systems, which were in its pre-production environment.

“Both servers were running outdated versions of software which are vulnerable to various CVEs,” CISA wrote. “Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.”

However, an analysis of the incidents “suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network,” according to CISA. “No evidence is available to confirm successful data exfiltration or lateral movement during either incident. … It is unknown if the same or different threat actors were behind each incident.”

A Bug that Sticks Around

CVE-2023-26360 allows for arbitrary code execution that doesn’t require any action by the targeted victims. Adobe patched the ColdFusion software in March, noting that the flaw had been exploited “in the wild in very limited attacks.” The vulnerability effects ColdFusion versions 2018 Update 15 and earlier and 2021 Update 5 and earlier. In addition, it also impacts even earlier versions of the software that Adobe doesn’t support anymore.

Despite the patch, threat actors have continued to exploit the bug in unpatched systems. Security researchers from Fortinet’s FortiGuard Labs wrote in an advisory in August that they continue to see targeted attacks aimed at exploiting the flaw, adding that IPS devices had blocked hundreds of such attacks in late summer.

In addition, Rapid7 researchers wrote that an access control bypass vulnerability – CVE-2023-29298 – in ColdFusion could be chained with CVE-2023-26360 in attacks.

Two Servers, Two Incidents

Both incidents against the unnamed federal agency happened in June. In the earlier one that started as early as June 2, the hackers gained access into the web server through a malicious IP address by exploiting the ColdFusion flaw. Once in, they identified opportunities for lateral movement, viewed information about local and domain administrative user accounts, and running reconnaissance of the host and network.

They also dropped eight malicious artifacts, including one that CISA wrote was a RAT “that utilizes a JavaScript loader … to infect the device and requires communication with the actor-controlled server to perform actions.” The agency said the RAT was a modified version of a publicly available web shell code.

The bad actors also tried to exfiltrate various files but were stopped after the attack was detected and quarantined. One malicious file – a local security authority subsystem server dump file that contained user accounts and Windows new technology LAN manager (NTLM) passwords – also was detected and quarantined.

Other attempts to try the registry dump and download data from the threat actors’ command-and-control server were blocked, as were efforts to access SYSVOL, used to deliver policy and logon scripts to domain members on an agency domain controller.

The hackers likely viewed data in the ColdFusion seed.properties file through the web shell interfact. The file “contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file.”

Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.

A Similar Pattern

In the second incident, the hackers tried to get information about the web server and its operating system, ran a connectivity check, and checked to see if ColdFusion version 2018 was present. Previous checks were also conducted against version 2016.

As with the first attack, the threat actors were in the filesystem and uploaded malicious code to the web server. They inserted malicious code to execute versions of ColdFusion 9 or less to extract usernames, passwords, and data source URLs.

“According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised),” CISA wrote. “This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.”