Affected platforms: Windows and macOS
Impacted parties: Users of vulnerable versions of Adobe ColdFusion
Impact: Remote attackers gain control of vulnerable systems
Severity level: Critical
This past July, Adobe responded to reports of exploits targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution by releasing a series of security updates: APSB23-40, APSB23-41, and APSB23-47. An in-depth analysis of those exploits has been documented by Project Discovery, including a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021.
Since those updates, however, FortiGuard Labs IPS telemetry data has continued to detect numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which poses a significant risk of arbitrary code execution (Figure 1). These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions. This article provides a detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.
Figure 1: IPS Signature Activity
Overview
The targeted URI of the attack is “/CFIDE/adminapi/accessmanager.cfc,” which serves as a legitimate ColdFusion Component (CFC) endpoint. Attackers attempt to inject their payload into the “argumentCollection“ parameter through a POST request. A thorough packet capture illustrating this process is depicted in Figure 2.
Figure 2: Traffic capture
Attacker Actions – Probing
In July, we detected numerous active probing activities related to an interactsh tool that can generate specific domain names to help researchers test whether an exploit is successful (Figure 3). However, attackers can also use it to validate vulnerabilities via monitoring the domain. We collected the following domains related to similar probing activity, shown in Figure 4, including mooo-ng[.]com, redteam[.]tf, and h4ck4fun[.]xyz.
Figure 3: Probing activities involving interactsh tool
Figure 4: Probing activities involving other domains
Attacker Actions – Reverse Shell
Our analysis showed attackers are using a reverse shell, often called a remote shell or “connect-back shell,” to attempt to exploit vulnerabilities within a target system by initiating a shell session, thereby enabling access to the victim’s computer. Some exploits directed at the Adobe ColdFusion vulnerability use payloads encoded in Base64. The original data can be seen in Figure 5, while the decoded data is presented in Figure 6.
Figure 5: Reverse shell exploit
Figure 6: Decoded data
Attacker Actions – Malware
Based on the data we’ve gathered, the attacks originate from multiple distinct IP addresses, including 81[.]68[.]214[.]122, 81[.]68[.]197[.]3 and 82[.]156[.]147[.]183. These payloads are also encoded in Base64 (Figure 7). We also observed that the threat actor distributed this malware from the same server 103[.]255[.]177[.]55[:]6895, as revealed by the decoded information in Figure 8.
Figure 7: Payload of downloading malware
Figure 8: Decoded data
The server (103[.]255[.]177[.]55[:]6895) is a publicly accessible HTTP file server and we can observe the campaign’s progress through it. During our analysis, certain files proved especially challenging to trace due to frequent updates made by the attacker. The modifications to the files on the HFS public server are shown in Figure 9, showcasing the alterations made on 8/24.
Malware Variants
We also identified four malware variants being used in these attacks.
Figure 9: Attacker’s webpage at different times on 8/24
The first entity is XMRig Miner, software that leverages computer processing cycles to mine for the Monero cryptocurrency. It can be used for legitimate mining or be abused by cybercriminals by hijacking CPU cycles. This attack uses version 6.20.0, shown in Figure 10.
Figure 10: XMRig Miner
The second entity is Satan DDoS/Lucifer, a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) functionalities. Lucifer was first reported in 2020. Beyond deploying the XMRig miner in this case, it demonstrates adeptness in command and control (C2) operations and can propagate by exploiting numerous vulnerabilities and employing credential brute-forcing. It also supports TCP, UDP, and HTTP-based DDoS attacks.
Researchers initially identified Lucifer as targeting and operating on Windows-based systems, but from the welcome message in Figure 11, we can see that this variant targets Linux.
Figure 11: Message from Satan DDoS/Lucifer
Lucifer establishes persistence by configuring registry key values under “SoftwareMicrosoftWindowsCurrentVersionRun.” It also employs “schtasks” to initialize its miner parameter and create a recurring task for persistence, as shown in Figure 12.
Figure 12: Mining configuration of Satan DDoS/Lucifer
The third entity is known as RudeMiner. This isn’t the first instance of its association with Lucifer. As shown in the wallet information labeled “45sep79asuwcjz8dltu7xtjbtx7yyf7uo6qt9ymfbqxv8gJzsdpyd46hoh6dm8paxklnsw9u7vezwu1dqmjkroryan3zeq1” in Figure 13, this particular campaign can be traced back to 2020. Figure 14 illustrates the presence of the DDoS attack methods associated with RudeMiner.
Figure 13: Message from RudeMiner
Figure 14: DDoS attacking methods from RudeMiner
The last entity is the BillGates/Setag backdoor, known for hijacking systems, communicating with C2 servers, and initiating attacks. FortiGuard Labs previously reported on its leveraging a vulnerability on Confluence Servers in 2021. It can be identified via the checking process procedure with the file “bill.lock” shown in Figure 15. The malware’s DDoS attack capabilities, as seen in Figure 16, encompass methods such as SYN, UDP, ICMP, and HTTP-based attacks.
Figure 15: Checking process in BillGates/Setag
Figure 16: Attacking methods in BillGates/Setag
Conclusion
We have been tracking this vulnerability for weeks and have observed a significant volume of threat exploitation targeting Adobe ColdFusion. Although the patches for these vulnerabilities have already been released, public attacks are still occurring. We strongly urge users to upgrade affected systems immediately and apply FortiGuard protection to avoid threat probing.
Fortinet Protections
This malware is detected and blocked by FortiGuard Antivirus as:
ELF/DDoS.BD!tr
W32/CoinMiner.OHX!worm
ELF/CoinMiner.HF!tr
ELF/RudeMiner.TGW!tr
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
FortiGuard Labs provides the following IPS signature against attacks exploiting the vulnerability discussed in this report:
Adobe.ColdFusion.CVE-2023-38204.Insecure.Deserialization
Adobe.ColdFusion.CVE-2023-38203.Insecure.Deserialization
Adobe.ColdFusion.CVE-2023-29300.Insecure.Deserialization
The FortiGuard Web Filtering Service blocks the attacker’s server.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.
IOCs
Attacker’s IP Address:
81[.]68[.]214[.]122
81[.]68[.]197[.]3
82[.]156[.]147[.]183
Malware Server’s IP Address:
103[.]255[.]177[.]55:6895
Files:
7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a