March 27, 2023

An unidentified threat group exploited an 11-year-old vulnerability that existed in Adobe ColdFusion 9. It allowed the threat actor to remotely control the ColdFusion server and deploy Cring ransomware onto the server.

The targeted server was used to gather accounting data for payroll and timesheets, along with hosting a few VMs.The attacks originated from an internet address given to Green Floid.The infection took only a few minutes by exploiting an 11-year-old vulnerability in ColdFusion 9 running on Windows Server 2008. Both the software reached their end-of-life.

After gaining initial access, the attackers used sophisticated tactics to hide their files, such as injecting code into memory and masking their tracks by overwriting files with some garbage data. The attackers have abused a set of directory traversal flaws (CVE-2010-2861), which is found in the administrator console of ColdFusion 9.0.1 or prior, which could allow remote attackers to read arbitrary files.

The attackers are believed to have abused another vulnerability in ColdFusion (CVE-2009-3960) to upload a malicious CSS file to the server.

They used it to load a Cobalt Strike Beacon executable that acted as a medium for the remote attackers to drop additional payloads and create a user account with admin privileges. It allowed the attackers to disable anti-malware engines and endpoint protection systems, before starting the encryption process of Cring ransomware.

These recent attacks again showed that devices with outdated software have severe consequences if exploited. There is no guarantee that cybercriminals will not abuse a decade-old vulnerability. Lest we forget, the first defense is always updating software and device firmware.

Leave a Reply

%d bloggers like this: