CISA Warns of Exploitation with Adobe ColdFusion Vulnerability - CVE-2023-26360

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory addressing the confirmed exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360. This vulnerability has impacted a government entity associated with the Federal Civilian Executive Branch (FCEB). Representing an improper access control issue, the Adobe ColdFusion vulnerability affects versions 2018 Update 15 and 2021 Update 5, potentially leading to arbitrary code execution. Two incidents occurred between June and July 2023, involving the compromise of at least two public-facing servers. The exploitation allowed threat actors to drop malware and initiate reconnaissance efforts, gaining insight into the broader network. An analysis by the affected FCEB agency revealed no evidence of data exfiltration or lateral movement in either incident.

Incident 1 was traced to have occurred on June 26th, 2023, threat actors targeted a public-facing web server running Adobe ColdFusion v2016.0.0.3. After exploiting CVE-2023-26360, the attacker connected back to their command and control (C2) domain. Executed commands included using certutil to decode a .jsp web shell, attrib.exe to hide the decoded web shell, and HTTP POST requests to a configuration file. CISA reports that payloads "tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors," according to ColdFusion application logs. Threat actors staged files in the C:\IBM directory, removing them before forensic analysis.

Incident 2, occurring as early as June 2nd, 2023, saw threat actors exploiting the same vulnerability on a public-facing web server running Adobe ColdFusion v2021.0.0.2. Reconnaissance efforts involved domain trust enumeration and the collection of administrative user account information. A remote access trojan (RAT) was dropped, and attempts were made to exfiltrate registry files, including the security account manager (SAM). The success of exfiltrating registry files saved to a zip file remains unknown. Additionally, a review of a .dat file revealed the threat actors had dumped data from LSASS. CISA notes, analysis of the incident strongly "suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface." The seed.properties file holds the seed value and encryption method for password encryption, and the same seed values can be used to decrypt passwords. While threat actors viewed sensitive data, no malicious code was reported to have been present "on the victim system to indicate the threat actors attempted to decode any passwords using the values found in the seed.properties file."