Adobe ColdFusion is a Java-based, commercial web app development platform using CFML for server-side programming.
ColdFusion is primarily known for its tag-based approach, which is unique. Besides this, it is also popular among developers for its adaptability across various industries.
The cybersecurity researchers at Fortinet recently uncoverd that Windows and macOS users face risk from Adobe ColdFusion vulnerabilities, targeted by remote attackers for pre-authentication RCE exploits.
Technical Analysis
Hackers target the URI ‘/CFIDE/adminapi/accessmanager.cfc,’ injecting payloads via a POST request into the ‘argumentCollection’ parameter.
By using the interactsh tool, researchers spotted probing activities in July. While this tool generates domain names for testing exploits and monitoring vulnerabilities.
Threat actors can misuse it to validate the vulnerabilities by monitoring the domains, and here are the related domains collected by security experts:-
- mooo-ng[.]com
- redteam[.]tf
- h4ck4fun[.]xyz
Probing activities involving other domains (Source – Fortinet)
Attackers employ reverse shells for exploiting system vulnerabilities, like in Adobe ColdFusion, using Base64-encoded payloads.
It’s been identified that from several IP addresses, all these attacks originated, and here below we have mentioned them:-
- 81[.]68[.]214[.]122
- 81[.]68[.]197[.]3
- 82[.]156[.]147[.]183
The malware was distributed from a publicly accessible HTTP file server:-
- 103[.]255[.]177[.]55[:]6895
Malware Variants
Here below, we have mentioned all the malware variants that the security analyst discovered:
- XMRig Miner: It’s a software program that uses CPU cycles for Monero mining for both legitimate and malicious purposes.
- DDoS/Lucifer: It’s a hybrid bot with cryptojacking, DDoS, C2, vulnerability exploitation, and DDoS capabilities, which was reported in 2020.
- RudeMiner: It’s also a hybrid version of a malware bot that targets the crypto wallet and carries out DDoS attacks.
- BillGates/Setag: This backdoor version is mainly known for hijacking, C2 server communication, and attacks. However, in this scenario, through the checking procedure with the file “bill.lock,” this malware could be detected.
Researchers have been monitoring this flaw for weeks and have seen many attacks against Adobe ColdFusion. They continue to be exploited in the wild despite introducing fixes to address these flaws. Users should upgrade affected systems to prevent threat probing.
Source: https://cybersecuritynews.com/pre-authentication-rce-adobe-coldfusion/
