On 5 December 2023, the United States (US) Cybersecurity and Infrastructure Security Agency (CISA) released an advisory which outlines cyber events occurring in June 2023 consistent with unknown threat actors establishing foothold onto the agency's servers. The two events share the same initial intrusion vector, namely exploitation of a high-severity improper access control vulnerability (CVE-2023-26360, CVSS: 8.8) impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).
The attackers successfully exploited internet-facing servers running outdated versions of the vulnerable software and were reportedly able to drop malware via HTTP POST requests. The actors leveraged the command-line certificate services utility certutil.exe to decode a JSP webshell ("conf.jsp"), subsequently initiating interaction with the webshell.
Malicious code was injected in the Adobe server configuration file "conf.cfm." The CISA reports that analysis of this code suggests the actor was attempting to collect system and network information - namely extract username, password, and data source URLs. Such an activity is consistent with a reconnaissance effort which did not lead to further security impact.
A separate incident displayed the attackers' attempt to carry out a more extensive enumeration potentially seeking opportunities for lateral movement via leveraging the network location test utility (nltest.exe). The actor aimed to discover network configuration, time logs, and query user information, and subsequently dropped various files including a remote access trojan ("d.jsp") that utilizes a javascript loader. Based on the actions the attacker performed, the CISA assesses the actor attempted to obtain valid credentials via various tactics, including attempts to dump the security access management registry file or living-off-the-land techniques such as using the database maintenance tool esentult.exe to attempt registry dump. All these attempts were reportedly unsuccessful.
The CISA reports that analysis of the actor's activity revealed interaction with the following infrastructure:
IP address 158.101.73[.]241 with a geolocation in Chiba, Japan;
IP address 125.227.50[.]97 geolocating in New Taipei, Taiwan.
The events the CISA reports remind all organizations globally, especially across the US and Western Europe, of the urgency to patch CVE-2023-26360. The CISA report also raises attention to unpatched vulnerable instances - ColdFusion 2016 and ColdFusion 11 installations - that are no longer supported having reached end of life.