Rapid7 Observed Exploitation of Adobe ColdFusion | Rapid7 Blog

Last updated at Tue, 27 Feb 2024 17:17:29 GMT

Note: While Rapid7 did not definitively tie the attacker behavior in this blog to a specific CVE at time of publication, as of December 2023 we have observed multiple instances of exploitation of Adobe ColdFusion CVE-2023-26360 for initial access, as well as exploitation of ColdFusion CVE-2023-29300, CVE-2023-29298, and CVE-2023-38203.

Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments. The observed activity dates back to January 2023. IOCs are included below.

Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. We have also observed  the compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.

Attacker Behavior

The earliest time frame of compromise identified thus far occurred in early January 2023. Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.

Example base64 encoded command executed by malicious actor through ColdFusion:

Decoded:

Rapid7 Customers

In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers:

Webshell – Possible ColdFusion Webshell In Command Line

This detection identifies common ColdFusion tags being passed in the command line. This technique is used by malicious actors when redirecting strings into files when creating webshells.

Attacker Technique – CertUtil With URLCache Flag

This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.

Indicators of Compromise

This technique has been observed by malicious actors redirecting strings into files while creating webshells. Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags:

  • <cfexecute>
  • </cfexecute>

Review process start logs for any abnormal child processes of ColdFusion Server

File items:

Type Value Notes
Filename WOW.TXT ColdFusion WebShell
Filename wow.txt ColdFusion WebShell
Filename www.txt ColdFusion WebShell
Filename www.cfm ColdFusion WebShell
Filename wow1.cfm ColdFusion WebShell
Filename zzz.txt ColdFusion WebShell
Filename dncat.exe DotNetCat
Filename nc.exe NetCat
SHA-256 e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245 ColdFusion WebShell
SHA-256 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25 ColdFusion WebShell
SHA-256 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3 ColdFusion WebShell
SHA-256 be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148 ColdFusion WebShell
MD5 1edf1d653deb9001565b5eff3e50824a DotNetCat
SHA-1 5d95fb365b9d0ceb568bb0c75cb1d70707723f27 DotNetCat
SHA-256 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0 DotNetCat
MD5 470797a25a6b21d0a46f82968fd6a184 NetCat
SHA-1 dac7867ee642a65262e153147552befb0b45b036 NetCat
SHA-256 ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419 NetCat

Network-based indicators:

Type Value Notes
FQDN www.av-iq[.]com Legitimate Compromised Domain
FQDN www.ooshirts[.]com Legitimate Compromised Domain
URL hXXps://www.av-iq[.]com/wow.txt ColdFusion WebShell
URL hXXps://www.ooshirts[.]com/images/zzz.txt ColdFusion WebShell
URL hXXps://www.ooshirts[.]com/images/dncat.exe DotNetCat
URL hXXp://www.ooshirts[.]com/images/nc.exe NetCat

MITRE ATT&CK Tactic/Technique/Subtechniques

TA0042 Resource Development (tactic):

  • T1584 Compromise Infrastructure (technique)
  • T1584.004 Server (sub-technique)

TA0001 Initial Access (tactic):

  • T1190 Exploit Public Facing Application (technique)

TA0002 Execution (tactic):

  • T1059 Command and Scripting Interpreter (technique)
  • T1059.001 PowerShell (sub-technique)
  • T1059.003 Windows Command Shell (sub-technique)

TA0003 Persistence (tactic):

  • T1505 Server Software Component (technique)
  • T1505.003 Web Shell (sub-technique)

TA0011 Command & Control (tactic):

  • T1132 Data Encoding (technique)
  • T1132.001 Standard Encoding (sub-technique)
  • T1572 Protocol Tunneling (technique)

Mitigation Guidance

While we have not tied this behavior back to exploitation of a specific CVE, Adobe released patches for known vulnerabilities in ColdFusion on March 14, 2023. At least one of the CVEs patched in version 16 (ColdFusion 2018) and version 6 (ColdFusion 2021) is known to be exploited in the wild. Rapid7’s vulnerability research team has successfully chained CVE-2023-26359 and CVE-2023-26360 for unauthenticated remote code execution; in-depth analysis and proof-of-concept code is available in AttackerKB here.

We strongly advise ColdFusion customers to update to the latest version to remediate known risk, regardless of whether the behavior we have detailed in this blog is related to recent vulnerabilities. We also advise customers to examine their environments for signs of compromise.

InsightVM and Nexpose customers are able to assess their exposure to known Adobe ColdFusion vulnerabilities via recurring vulnerability check coverage.

Eoin Miller contributed to this article.

Source: https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/