In September, Adobe patched numerous critical vulnerabilities in ColdFusion. However, a couple of weeks after Adobe released the patches, researchers noticed active exploitation of Adobe ColdFusion vulnerability in the wild. Reportedly, they have identified a Chinese APT group behind the exploit. The group has actively attacked unpatched servers.
Adobe ColdFusion Vulnerability Exploited In The Wild
Researchers at Volexity discovered active exploitation of Adobe ColdFusion vulnerability. Although Adobe already patched the vulnerability, it seems the hackers took advantage of the details published in Adobe’s advisory, after which they began exploiting the flaw.
The vulnerability exploited in this case is an unrestricted file upload bug (CVE-2018-15961). Exploiting this bug could lead to arbitrary code execution – and this is what the hackers did. The attackers belonged to a Chinese APT group who carried out direct uploads of a China Chopper webshell to vulnerable ColdFusion servers.
Regarding how they managed to conduct the attack, Volexity stated in their report,
“The vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication.”
According to Volexity, the vulnerability arose when Adobe switched the ColdFusion WYSIWYG editor from FCKEditor to CKEditor. Though Adobe already patched it, yet the hackers didn’t miss the chance to exploit the bug on unpatched servers. They simply noticed that the CKEditor didn’t include .jsp file extension among the restricted file upload extensions. They also accessed the “path” form variable and identified an issue related to directory modification through which they could alter the directory. Therefore, nothing could seemingly hinder their malicious activities.
Reportedly, Volexity identified various unpatched ColdFusion servers belonging to different institutions that appeared compromised. Volexity then informed Adobe about their findings who were unaware of any exploits.
Update Your Software ASAP!
The prime reason behind the success of the hacktivist group involved in these attacks is the failure to download patched software. The attackers looked for unpatched servers to carry out their malicious activities. So, to ensure adequate protection against these attacks, ColdFusion users must ensure downloading the patched updates. Moreover, the researchers also recommend limiting the access to ColdFusion servers to only a few approved IP addresses.
Let us know your thoughts in the comments section.