Adobe ColdFusion is a commercial application server designed for rapid web application development, utilising proprietary markup languages and integrating external components like databases. While ColdFusion Markup Language (CFML) is used for development, the application itself is constructed using JAVA.
In June 2023, by exploiting CVE-2023-26360, malicious actors successfully gained initial access to two separate agency systems on different occasions. Both incidents were flagged by Microsoft Defender for Endpoint (MDE), which detected potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Notably, both servers were running outdated software versions susceptible to various CVEs. Additionally, threat actors executed various commands on the compromised web servers, leveraging the exploited vulnerability to deploy malware through HTTP POST commands to the ColdFusion-associated directory path.
According to analysis, the malicious activity by threat actors, as investigated by cyber security companies, was likely a reconnaissance mission aimed at mapping the larger network. There is no evidence to support successful lateral movement or data exfiltration during either incident. Note: It’s unclear if various threat actors or the same ones were responsible for each incident.
Incident 01
On June 26, 2023, malicious actors gained initial access to a publicly accessible web server, utilising Adobe ColdFusion v2016.0.0.3 and exploiting CVE-2023-26360. The connection originated from the IP address 158.101.73[.]241, a location that CISA recommends organisations investigate before taking any preventive measures like blocking, as it resolves to a public cloud service provider with potential legitimate traffic.
By cross-referencing Internet Information Services (IIS) logs with open-source information, the agency identified the exploitation of CVE-2023-26360 through the URI /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc. The agency promptly removed the affected asset from the network within 24 hours of the alert by Microsoft Defender for Endpoint (MDE).
Following the initial breach, the threat actors engaged in process enumeration to identify running processes on the web server, conducted a network connectivity check, likely confirming the success of their connection. Subsequent efforts included additional enumeration to gather information about the web server and its operating system. The actors also checked for the presence of ColdFusion version 2018, having previously assessed version 2016.
The threat actors demonstrated activity in traversing the file system, uploading various artifacts to the web server, and deleting the file tat.cfm. It’s important to note that the file was deleted before the victim discovered it during the analysis, leaving its characteristics and functionality unknown.
Additionally:
Certutil[2] was executed on conf.txt, revealing a decoded web shell (config.jsp). To evade detection, the threat actors subsequently deleted conf.txt. It’s noteworthy that, from this point onward, the threat actors exclusively interacted with the config.jsp web shell.
HTTP POST requests were directed to config.cfm, an anticipated configuration file in a standard ColdFusion installation. Upon code examination, malicious code was discovered in config.cfm, designed to execute on ColdFusion versions 9 or lower. This code aimed to extract usernames, passwords, and data source URLs. Analysts suggest that this code insertion could facilitate future malicious activities by the threat actors, utilizing compromised credentials. Additionally, the file contained code for the threat actors to upload additional files, although the origin of these files remains unidentified.
To conceal the newly created config.jsp web shell, threat actors attempted to run attrib.exe. However, analysis revealed no evidence of successful execution during this phase.
A limited set of events from diverse ColdFusion application logs indicated that tat.cfm, config.jsp, and system.cfm failed to implement on the host because of syntax errors.
Malicious actors generated several files (refer to Table 1) within the C:\IBM directory, utilizing the initialization process coldfusion.exe. While none of these files were found on the server, possibly due to the actors’ deletion, they are presumed to be tools employed by the threat actors. Analysts determined that the C:\IBM directory served as a staging folder, facilitating the execution of the threat actors’ malicious activities.
The malicious script discovered on the system in this incident included instructions that, upon execution, aimed to decrypt passwords associated with ColdFusion data sources. The embedded seed value in the code corresponds to a known value applicable to ColdFusion version 8 or earlier, where the seed value was statically defined. In instances where a threat actor has control over the database server, they can leverage these values to decrypt data source passwords in ColdFusion version 8 or older. However, the servers of the victim were operating on a more recent version at the time of the compromise. Consequently, the malicious code was unsuccessful in decrypting passwords using the default hard-coded seed value applicable to the older versions.
Incident 02
As of June 2, 2023, malicious actors established an initial presence on an additional public-facing web server operating Adobe ColdFusion v2021.0.0.2, exploiting CVE-2023-26360 via the malevolent IP address 125.227.50[.]97. The threat actors proceeded to enumerate domain trusts, seeking opportunities for lateral movement through Nltest commands. Concurrently, they gathered intelligence on local and domain administrative user accounts, utilizing commands like localgroup, net user, net user /domain, and ID for reconnaissance. Subsequent efforts involved host and network reconnaissance, uncovering network configurations, time logs, and user information.
The threat actors executed a POST command, dropping the file d.txt (decoded as d.jsp), along with eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). D.jsp, identified as a remote access trojan (RAT), utilized a JavaScript loader for device infection, requiring communication with an actor-controlled server. Agency analysis classified the trojan as a modified version of publicly available web shell code. After establishing persistence, the threat actors tested network connectivity time to time by pinging Google’s DNS. Additional reconnaissance involved searching for uploaded .jsp files.
Exfiltration attempts targeted sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar (Registry files). While Windows event logs revealed detection and quarantine, an additional file (sys.zip) was created but showed no signs of exfiltration attempts. These files resulted from processes saving and compressing data from the HKEY_LOCAL_MACHINE (HKLM) Registry key, including SAM information. Though the SAM Registry file may allow malicious actors to obtain usernames and reverse engineer passwords, no evidence confirmed successful exfiltration.
Windows event logs indicated the detection and quarantine of a malicious file (1.dat), identified as a local security authority subsystem service (LSASS) dump containing user accounts, including multiple disabled credentials and Windows NTLM passwords. Despite being present across the victim’s network, these accounts were not successfully leveraged for lateral movement.
During continued reconnaissance, threat actors shifted to using security tools on the victim server, employing esentutl.exe for a registry dump. Efforts to download data from the command and control (C2) server were blocked and logged, and an unsuccessful attempt was made to access SYSVOL for policy and logon script delivery on an agency domain controller. A successful attempt might have allowed the threat actors to modify policies across compromised servers.
Mitigation
CISA suggests organisations adopt the following measures to enhance their cybersecurity stance in response to threat actor activities. These measures are in line with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST). The CPGs outline a foundational set of practices and safeguards that CISA and NIST advise all organisations to implement, drawing from existing cybersecurity frameworks and guidance. These guidelines are designed to safeguard against prevalent and impactful threats, encompassing various tactics, techniques, and procedures.
Applicable to all critical infrastructure entities and network defenders, CISA recommends that software manufacturers integrate secure-by-design and -default principles and tactics into their software development processes. This approach aims to minimize the impact of threat actor techniques and fortify the security posture for end-users. Additional information about secure by design is available on CISA’s Secure by Design webpage. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for a comprehensive understanding of the CPGs, along with additional recommended baseline protections.
Managing Vulnerabilities and Configurations
Mr. Manish Chaudhari, CISO of Cybernetic Global Intelligence, an internationally recognised provider of IT security consulting, said that “it is important to ensure that all versions susceptible to this vulnerability are upgraded.“
He also stated that “maintaining the currency of all software and prioritising patching based on CISA’s Known Exploited Vulnerabilities Catalog is significant too”.
“Give precedence to addressing vulnerabilities on systems accessible from the internet, which can be achieved through regular automated or routine vulnerability scans.”
“At the same time, prioritise the adoption of secure-by-default configurations, such as the removal of default passwords and the implementation of single sign-on (SSO) technology using contemporary open standards.”
Best Ways to Segment Networks
Implement effective network segmentation, such as the establishment of a demilitarised zone (DMZ)
The ultimate objective of a DMZ network is to enable an organisation to connect to untrusted networks, like the internet, while safeguarding its private network or local area network (LAN). Typically, external-facing services and resources, as well as servers for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP), and web servers, are housed in the DMZ.
Utilise a firewall or web-application firewall (WAF)
Besides using a firewall or web-application firewall, ensure to activate logging to prevent/detect potential exploitation attempts. Assess and control both inbound and outbound firewall rules, blocking any unauthorised protocols. Restrict the use of risky (yet approved) protocols through rules.
Enforce network segmentation to segregate network segments based on their roles and functionalities
This form of segmentation significantly diminishes the likelihood of lateral movement by threat actors, as it regulates traffic flows between different subnetworks and restricts access. Refer to CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses for more guidance.
Deploy application-aware network defences
The purpose of engaging in Gov AU cyber security consulting is to obstruct improperly formed traffic and limit content as per policy and legal authorizations. Traditional intrusion detection systems (IDS) relying on known-bad signatures are becoming less effective due to encryption and obfuscation techniques. Modern network defences necessitate sophisticated, application-aware defensive mechanisms to counteract threat actors concealing malicious actions and removing data through common protocols.
Application Control
Implement signed software execution guidelines.
For increased control, application control in conjunction with signed software execution policies is recommended.
Handling Accounts, Permissions, and Workstations
Mandate the use of multifactor authentication (MFA) that is resistant to phishing attempts for all services, especially emphasising webmail, VPN, and accounts with access to critical systems.
Enforce the principle of least privilege to minimise the capabilities of threat actors in accessing crucial network resources.
Control permissions for files and directories, utilising file system access controls to safeguard folders like C:\Windows\System32.
Limit NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.
Verify Security Measures
Alongside implementing mitigations, CISA suggests actively exercising, testing, and validating your organization’s security program by evaluating it against the threat behaviors outlined in the MITRE ATT&CK for Enterprise framework in this advisory. CISA advises conducting tests on your current inventory of security controls to gauge their effectiveness in countering the ATT&CK techniques specified in this advisory.