Roughly 62 hours later, just before midnight on a Saturday night/Sunday morning, the attackers returned. Using the beacon, they afterward overwrote the file that contained the web shell, deliberately writing garbled data over the files to hinder any future investigation. The attacker wrote out the web shell, encoded in base64, from c:\windows\temp\csa.log to E:\cf9_final\cfusion\They then attempted to use the web shell to load a Cobalt Strike beacon executable onto the server.
#Coldfusion 11 updates windows
That file may have been this web shell code, designed to pass parameters directly to the Windows command shell, which was recovered from the server inside of a Cascading Stylesheet (CSS) file.
This permitted the attacker to upload a file to the ColdFusion server by performing an HTTP POST to the /flex2gateway/amf path on the server. Next, the attacker appears to have exploited another vulnerability in ColdFusion, CVE-2009-3960, which permits a remote attacker to inject data through an abuse of ColdFusion’s XML handling protocols. In this case, they retrieved a file called password.properties from the server. Three minutes later, the attacker took advantage of CVE-2010-2861, a directory traversal vulnerability in ColdFusion that permits a remote user to retrieve files from web server directories that aren’t supposed to be available to the public. Scans by the threat actor revealed they found these web server pages used by ColdFusion The scans revealed that the web server was hosting valid files and URI paths specific to ColdFusion installations, such as /admin.cfm, /login.cfm, and /CFIDE/Administrator/. Logs from the server indicate that an attacker, using an internet address assigned to Ukrainian ISP Green Floid, began scanning the target’s website just before 10am local time, using an automated tool to try to browse to more than 9000 paths on the target’s website in just 76 seconds.
#Coldfusion 11 updates software
The incident serves as a stark reminder that IT administrators cannot leave out-of-date critical business systems facing the public internet.ĭespite the age of the software and the server, the attacker used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by deleting logs and other artifacts that could be used in an investigation.
As a result, neither the operating system nor the ColdFusion software could be patched. Adobe declared end-of-life for ColdFusion 9 in 2016. The server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft end-of-lifed in January, 2020. While several other machines were “bricked” by the ransomware, the server hosting ColdFusion was partially recoverable, and Sophos was able to pull evidence in the form of logs and files from the machine. In an attack recently investigated by Sophos, an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely, then to execute ransomware known as Cring on the server, and against other machines on the target’s network.
0 kommentar(er)
