Tag Archive for: adobe

Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers


SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.

This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.

Overview

Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.

In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.

Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.

Incident 1

As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.

The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.

Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.

Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:

  • Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection.
    Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
  • HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
  • Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
  • A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.

Threat actors created various files (see Table 1 below) in the C:\IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:\IBM directory as a staging folder to support threat actors’ malicious operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.

Table 1: Threat Actor Tools

File Name

Hash (SHA-1)

Description

eee.exe

b6818d2d5cbd902ce23461f24fc47e24937250e6

VirusTotal[3] flags this file as malicious. This was located in D:\$RECYCLE.BIN.

edge.exe

75a8ceded496269e9877c2d55f6ce13551d93ff4

The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error.

Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.

fscan.exe

be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656

Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:\IBM directory [T1046].

RC.exe

9126b8320d18a52b1315d5ada08e1c380d18806b

RCDLL.dll attempted to execute via RC.exe but received an error.

Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.

Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.

Incident 2

As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.

Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.

Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file (sys.zip) was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.

Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.

As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]

Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file. Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 2: Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.

Table 3: Execution

Technique Title

ID

Use

Command and Scripting Interpreter: JavaScript

T1059.007

In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.

Table 4: Persistence

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.

Table 5: Privilege Escalation

Technique Title

ID

Use

Domain Policy Modification: Group Policy Modification

T1484.001

Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.

Table 6: Defense Evasion

Technique Title

ID

Use

Masquerading: Match Legitimate Name or Location

T1036.005

Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.

Masquerading: Masquerade File Type

T1036.008

Threat actors used the .txt file extension to disguise malware files.

Indicator Removal: File Deletion

T1070.004

Threat actors deleted files following upload to remove malicious indicators.

Deobfuscate/Decode Files or Information

T1140

Threat actors used certutil to decode web shells hidden inside .txt files.

Hide Artifacts: Hidden Files and Directories

T1564.001

Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.

Table 7: Credential Access

Technique Title

ID

Use

OS Credential Dumping: LSASS Memory

T1003.001

Threat actors attempted to harvest user account credentials through LSASS memory dumping.

OS Credential Dumping: Security Account Manager

T1003.002

Threat actors saved and compressed SAM information to .zip files.

Table 8: Discovery

Technique Title

ID

Use

System Network Configuration Discovery: Internet Connection Discovery

T1016.001

Threat actors periodically tested network connectivity by pinging Google’s DNS.

Network Service Discovery

T1046

Threat actors scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.

System Information Discovery

T1082

Threat actors collected information about the web server and its operating system.

File and Directory Discovery

T1083

Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.

Account Discovery: Local Account

T1087.001

Threat actors collected information about local user accounts.

Account Discovery: Domain Account

T1087.002

Threat actors collected information about domain users, including identification of domain admin accounts.

Domain Trust Discovery

T1482

Threat actors enumerated domain trusts to identify lateral movement opportunities.

Software Discovery

T1518

Following initial access and enumeration, threat actors checked for the presence of ColdFusion version 2018 on the victim web server.

Table 9: Command and Control

Technique Title

ID

Use

Application Layer Protocol: Web Protocols

T1071.001

Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.

Ingress Tool Transfer

T1105

Threat actors were able to upload malicious artifacts to the victim web server.

MITIGATIONS

CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.

Manage Vulnerabilities and Configurations

  • Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
  • Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
  • Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.

Segment Networks

  • Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
  • Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
  • Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
  • Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.

Application Control

  • Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
  • Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.

Manage Accounts, Permissions, and Workstations

  • Require phishing-resistant multifactor authentication (MFA) [2.H] for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
  • Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
  • Restrict file and directory permissions. Use file system access controls to protect folders such as C:\Windows\System32.
  • Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 2-9).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code Execution
[2] MITRE: certutil
[3] VirusTotal: File – a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs
[5] GitHub: Tas9er/ByPassGodzilla
[6] MITRE: esentutl
[7] Microsoft: Active Directory – SYSVOL
[8] Microsoft: Restrict NTLM – Incoming NTLM Traffic

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

VERSION HISTORY

December 5, 2023: Initial version.

Source…

Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware


  • Remote attackers can exploit pre-authentication RCE vulnerabilities in Adobe ColdFusion 2021 to seize control of affected systems.
  • Adobe has released security patches to address these vulnerabilities, but attackers are still exploiting them.
  • The attack campaign involves multiple stages, including probing, reverse shells, and the deployment of malware.
  • Four distinct malware strains have been identified: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
  • Users are advised to upgrade their systems promptly and deploy protection mechanisms to thwart ongoing attacks.

Numerous users of both Windows and macOS platforms are currently at risk due to vulnerabilities present in Adobe ColdFusion. This software suite, a popular choice for web application development, recently came under attack as remote attackers discovered and exploited pre-authentication remote code execution (RCE) vulnerabilities. Such vulnerabilities granted attackers the ability to seize control of affected systems, raising the alarm to a critical severity level.

The crux of these attacks targets the WDDX deserialization process within Adobe ColdFusion 2021. While Adobe responded swiftly with security updates (APSB23-40, APSB23-41, and APSB23-47), FortiGuard Labs observed continued exploitation attempts. 

An analysis of the attack patterns uncovered a process executed by the threat actors. They initiated probing activities using tools like “interactsh” to test the exploit’s effectiveness. These activities were observed involving multiple domains including mooo-ngcom, redteamtf, and h4ck4funxyz. The probing phase provided attackers insights into potential vulnerabilities and served as a precursor to more malicious actions.

The attack campaign’s sophistication extended to the utilization of reverse shells. By encoding payloads in Base64, attackers sought to gain unauthorized access to victim systems, enabling remote control. 

Notably, the analysis disclosed a multi-pronged approach, including the deployment of various malware variants. Attacks were launched from distinct IP addresses, raising concerns about the campaign’s widespread reach. Malware payloads were encoded…

Source…

Adobe Fixes ColdFusion Zero-Day – Again


Application Security
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development

Rework of Previous Update Available for ColdFusion Versions 2023, 2021 and 2018

Adobe Fixes ColdFusion Zero-Day - Again

Adobe released a fresh out-of-band security update to patch an improperly fixed ColdFusion zero-day vulnerability being actively exploited in the wild that allows attackers to bypass security controls. The update includes fixes for two other critical vulnerabilities.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

The critical zero-day, tracked as CVE-2023-38205, with a CVSS score of 7.5, is an instance of improper access control that results in a security bypass. “Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” Adobe’s security bulletin says.

The zero-day affects the following versions:

  • ColdFusion 2023 – Update 2 and earlier versions
  • ColdFusion 2021 – Update 8 and earlier versions
  • ColdFusion 2018 – Update 18 and earlier versions

The Incomplete Fix

CVE-2023-38205 is a patch bypass for the incomplete fix for CVE-2023-29298, a ColdFusion authentication bypass discovered on July 11 by Rapid7 researcher Stephen Fewer.

Attackers used an exploit chain that capitalized on CVE-2023-29298 in the first part of the exploit and then used CVE-2023-29300/CVE-2023-38203 vulnerabilities to drop and run web shells on vulnerable ColdFusion servers to gain remote access to devices (see: Security Alert: Exploit Chain Actively Hits ColdFusion).

Adobe released an…

Source…

How to Code Sign Your Applications for Adobe AIR?


Code Signing for Adobe Air: Understanding the Process & How and Where to Purchase the Code Signing Certificate

Adobe Air is one the best runtime environments that can be used to build quality applications for web and mobile. It aids developers with several valuable features and components to make development easier and more effective.

However, running apps built in Adobe Air without security warnings is only possible through a legit Adobe code signing certificate. It ensures that your application code is safe and has not been tampered with and the app is safe to use.

Hence, purchasing an Adobe code signing certificate to run apps on Adobe Air is necessary.

How to Code Sign Your Apps for Adobe Air?

Cutting down to the chase, let us simply start with understanding the process of code signing for Adobe Air:

Step 1: Researching the Right Adobe Code Signing Certificate

To start with the process, you first must do a little research and find a suitable code signing certificate that will help you sign Adobe Air apps. Remember, you need to buy a certificate that supports the Adobe Air platform. Hence, make your research Adobe specific and decide which certificate is suitable for your application. Here are three options to choose from:

Step 2: Purchasing the Adobe Code Signing Certificate

After deciding which certificate is ideal for code signing for Adobe Air apps, you can make the actual purchase. Note that buying a code signing certificate for your Adobe Air apps will help you prevent the security warning messages that appear while installing or running the app on the web or mobile platforms.

Step 3: Learning the Process to Code Sign Adobe Air Apps

To sign your Adobe Air apps with an Adobe code signing certificate, you will first need to export your certificate as a .PFX file from the internet browser you are using. Once you have the .PFX file, you can use it to code sign Adobe Air apps.

Here is the process to export .PFX file from different internet browsers:

A. Microsoft Edge

The following is the process to export .PFX file from Microsoft Edge:

  1. Open the Microsoft Edge browser.
  2. Go to the upper right corner of the browser, click on the three dots, and select Settings.
  3. Select the…

Source…