Unpatched Adobe ColdFusion bug led to double breach of US federal agency

Threat actors abused a known Adobe ColdFusion bug to carry out two attacks on a U.S. federal agency’s systems two months after a mandated deadline to mitigate the vulnerability had passed.

The incident was disclosed in a Dec. 5 cybersecurity advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) which did not name the federal civilian executive branch (FCEB) agency involved.

The attacks — carried out by either one or two unknown threat groups — exploited CVE-2023-26360, an improper access control vulnerability that can result in arbitrary code execution.

The bug affects versions of ColdFusion 2018 prior to Update 16 and ColdFusion 2021 prior to Update 6. It also affects two older versions of the web-application development software which are no longer supported by Adobe.

Adobe issued a patch for the vulnerability in March, saying at the time it was aware the bug was being exploited in the wild “in very limited attacks.”

CISA immediately added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and required all FCEB agencies to apply the ColdFusion patch across their organizations by April 5. The deadline did not appear to have been met by the agency highlighted in the Dec. 5 advisory, however.

Analysis of network logs showed at least two public-facing servers within the affected agency’s environment were compromised between June and July, enabling threat actors to “establish an initial foothold on two agency systems in two separate instances,” CISA said in its advisory.

“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs.”

Hackers dropped malware via ColdFusion bug on federal servers

CISA said the threat actors initiated a variety of activities on the compromised web servers. By exploiting CVE-2023-26360 they were able to drop malware using HTTP POST commands to the directory path associated with ColdFusion.

During the second incident they dropped a remote access trojan (RAT), which was a modified version of a publicly available web shell code known as ByPassGodzilla.

“Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network,” CISA said.

The threat actors also attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller.

“The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers,” CISA said.

“No evidence is available to confirm successful data exfiltration or lateral movement during either incident.”

In its advisory, CISA recommended several measures for organizations to take to mitigate the ColdFusion vulnerability, the first being to upgrade all versions of the software affected by CVE-2023-26360.

More generally, it said organizations should keep all software up to date and prioritize patching against vulnerabilities listed in the KEV Catalog, as well as prioritizing the remediation of vulnerabilities on internet-facing systems.