An unidentified threat group exploited an 11-year-old vulnerability that existed in Adobe ColdFusion 9. It allowed the threat actor to remotely control the ColdFusion server and deploy Cring ransomware onto the server.
What happened?
According to Sophos, a targeted server (belonging to an unknown services company) was used to gather accounting data for payroll and timesheets, along with hosting a few VMs. - The attacks originated from an internet address given to Green Floid (a Ukrainian ISP).
- The infection took only a few minutes by exploiting an 11-year-old vulnerability in ColdFusion 9 running on Windows Server 2008. Both the software reached their end-of-life.
- After gaining initial access, the attackers used sophisticated tactics to hide their files, such as injecting code into memory and masking their tracks by overwriting files with some garbage data.
- Additionally, attackers disabled security products as tamper-protection features were turned off.
Exploiting vulnerabilities
The attackers have abused a set of directory traversal flaws (CVE-2010-2861), which is found in the administrator console of ColdFusion 9.0.1 or prior, which could allow remote attackers to read arbitrary files. - To proceed further with the attack, the attackers are believed to have abused another vulnerability in ColdFusion (tracked as CVE-2009-3960) to upload a malicious CSS file to the server.
- They used it to load a Cobalt Strike Beacon executable that acted as a medium for the remote attackers to drop additional payloads and create a user account with admin privileges.
- Further, it allowed the attackers to disable anti-malware engines, such as Windows Defender, and endpoint protection systems, before starting the encryption process of Cring ransomware.
Conclusion
These recent attacks again showed that devices with outdated software have severe consequences if exploited. There is no guarantee that cybercriminals will not abuse a decade-old vulnerability. Lest we forget, the first defense is always updating software and device firmware.