Adobe coldfusion

Adobe ColdFusion servers attacked by APT group

A nation-state cyber espionage group is actively hacking Adobe ColdFusion servers and installing backdoors for future operations, Volexity researchers told ZDNet.

The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches released by Adobe two weeks earlier on September 11.

It looks like hackers have studied Adobe’s September patches and figured out how to exploit CVE-2018-15961 to their advantage.

Classified as an “unauthenticated file download,” this vulnerability allowed this APT group (APT stands for Advanced Persistent Threat, another term used to describe nation-state cyber espionage groups) to surreptitiously download a version of the China Chopper backdoor on unpatched servers and support the whole system.

Matthew Meltzer, security analyst for Volexity, told ZDNet that the central issue at the heart of this vulnerability is that Adobe has replaced the technology behind the native ColdFusion WYSIWYG editor from FCKEditor to CKEditor.

CKEditor is a revamped and updated version of the old FCKEditor, but Meltzer says that when Adobe switched between the two inside ColdFusion, it accidentally opened an unauthenticated file download vulnerability that it originally had. corrected in the ColdFusion integration of FCKEditor in 2009.

The problem, according to Meltzer, is that the initial integration of CKEditor from ColdFusion had a weaker file upload blacklist that allowed users to upload JSP files to ColdFusion servers. Since ColdFusion can natively run JSP files, this created a dangerous situation.

“The attackers we observed noticed that the .jsp extension had been left out and took advantage of it,” Meltzer told ZDNet in an interview today.

Adobe realized its mistake and added JSP files to CKEditor’s file extension download blacklist in the September patch.

But this simple change did not escape the members of the APT group. Two weeks after Adobe’s patch, the cyber espionage group began searching for unpatched ColdFusion servers and has since downloaded a JSP version of the China Chopper backdoor to mine and take control of the servers.

It’s unclear exactly what attackers want to do with these servers in the future, but they will most likely be used as staging areas to host malware, send spear-phishing, for waterhole attacks, or to disguise other attacks as part of a proxy network – typical APT activity.

“It’s not difficult to abuse CVE-2018-15961, so any organization running a vulnerable instance of ColdFusion should update as soon as possible,” Meltzer warned.

The researcher says Volexity also identified cases over the summer where a group of Indonesian hacktivists degraded websites hosted on ColdFusion servers.

While Meltzer and Volexity haven’t had a chance to review the logs and artifacts of the companies involved, they believe this group could have used the same vulnerability before Adobe even patched it. Their hypothesis is based on the locations of the files downloaded during these degradations, which suggests unauthorized downloads.

“We have not observed any abuse of this vulnerability outside of APT activity and possibly web-related criminal degradation,” Meltzer told us, but that may change in the future.

The company advises owners of ColdFusion servers to take advantage of the automatic server update feature to ensure that their servers receive and install updates as they become available. Volexity has also published a technical report with its recent findings.


Image: Volexity

Associated security cover: