In a new advisory that shows why it’s critical to keep Adobe ColdFusion deployments up to date, the US Cybersecurity and Infrastructure Security Agency (CISA) warns that two federal agencies were breached by attackers in June through an unpatched vulnerability in the application server software. The attackers used their access to deploy web shells and collect information that would enable lateral movement in the environments. The breached ColdFusion instances were outdated in both cases as the exploited vulnerability had a fix available since March.
“Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network,” CISA said in its advisory without attributing the attacks to any known group. “No evidence is available to confirm successful data exfiltration or lateral movement during either incident.”
A critical deserialization vulnerability
The vulnerability exploited in the two incidents is tracked as CVE-2023-26360 and is a critical deserialization flaw that can be exploited to achieve remote code execution. It affects ColdFusion 2021, ColdFusion 2018, as well as older versions that are no longer supported. The flaw was patched in March together with another critical deserialization vulnerability (CVE-2023-26359) and a path traversal issue.
In programming, serialization is the process of converting data into a stream of bytes, usually to transmit it over the wire. Deserialization is the reversal of that process and like with most data parsing operations in software, it can be a source of vulnerabilities if users control the input. Unsafe deserialization flaws have plagued Java applications for years and ColdFusion, a server platform for running CFML applications, is written in Java.
Deserialization flaws are not uncommon in ColdFusion. Since March, Adobe patched six more such flaws that were rated critical and could result in arbitrary code execution, three of them last month. Attackers also have an appetite for exploiting them, with a ColdFusion deserialization flaw patched in July seeing active exploitation in the wild.
Implants target both the underlying server and ColdFusion itself
While ColdFusion is cross-platform software, it is commonly deployed on Windows servers running the IIS web server. This makes it an attractive target for hackers because the underlying server might contain accounts and other information that could allow lateral movement inside an organization’s Windows network.
In both cases the attackers used the vulnerability to upload encrypted files with the extension .txt which were then decoded using the Certutil WIndows utility into .jsp files that served as web shells — backdoor scripts that allow attackers to remote execute commands on a server. In one of the incidents the attackers created a staging folder where they dropped several utilities: a cookie exporting DLL file that is part of Microsoft’s Edge browser, a network resource scanner called fscan.exe, a copy of the Microsoft Resource Compiler, and other executables.
The malicious web shell also contained code that attempted to decrypt passwords for ColdFusion data sources. ColdFusion saves passwords in encrypted form with a seed value that was hard-coded in ColdFusion 8, but is unique for each installation in later versions.
“A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older,” CISA explains. “The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.”
The attackers behind the second incident seem to have been more skilled and used more advanced reconnaissance tactics. They enumerated domain trusts by using nltest commands and they collected information about local and domain administrative accounts by using commands such as localgroup, net user, net user /domain and ID. They also attempted to discover network configuration, time logs, and query user information.
According to CISA the attackers attempted to copy and exfiltrate system registry hives such as HKEY_LOCAL_MACHINE (HKLM) and the Security Account Manager (SAM), but the activity was detected and blocked. “The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive,” the agency said.
The attackers also dumped the memory of the local security authority subsystem service (LSASS), which usually contains NTLM credentials for user accounts that were used on the system, including disabled credentials that might still be valid on other systems.
When some of their attempts were blocked, the attackers changed tactics and attempted to dump the registry through security tools that were present on the system. The further attempted to access SYSVOL on a domain controller, a tool that’s used to deliver policy and logon scripts to domain members.
As far as ColdFusion-specific post-compromise techniques are concerned, the attackers accessed the ColdFusion seed.properties file, which is used to store the unique seed that’s used to encrypt passwords.
The CISA advisory contains indicators of compromise as well as tactics, techniques and procedures (TTPs) that could help organizations develop detection mechanisms for similar attacks against ColdFusion deployments. The agency also provides mitigation instructions ranging from keeping the software up to date to network segmentation, application control policies and account and file permissions.