Coldfusion blog

The Long Tail of ColdFusion Fail – Krebs on Security

Earlier this month I posted a story about a criminal hacking gang using Adobe Cold Fusion vulnerabilities to create a botnet of hacked e-commerce sites that were exploited for customer credit card data. Today’s article examines the impact this botnet has had on several companies, as well as the important and costly lessons these companies have learned from the intrusions.

Last Tuesday’s story focused on two victims; the maker of jams and jellies Smucker’sand SecurePay, a Georgia-based credit card processor. Most companies contacted for this story did not respond to requests for comment. The few companies listed that responded had remarkably similar stories to tell of the ordeal of trying to keep their businesses going in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to consider in the future.

The two companies that agreed to speak with me were both lighting companies, and both first learned of their site’s compromise after credit card company Discover alerted their card processors. of a pattern of fraudulent activity on recently used cards in stores., a Maple Grove, Minnesota-based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Vice President of Paul McLellan said he learned of the breach on November 7, 2013 from his company’s processor – Heartland Payment Systems.


McLellan said the unpatched ColdFusion vulnerabilities on the company’s site were definitely a glaring oversight. But he said he was frustrated that his company paid more than $6,000 a year to a third-party security compliance firm to test for vulnerabilities and that the company also missed the flaws. from ColdFusion.

“Shortly before Heartland told us, we paid $6,000 a year for a company to bully our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had been there for two years and they had never seen it.

McLellan said the company was visited by the FBI last year, and the agent said the group responsible for hitting Elightbulbs compromised much higher-profile targets.

“The FBI investigator said, ‘Hey, don’t beat yourself up. We have credit card processors and government institutions that run ColdFusion that have been hacked, that’s a small potato,'” said McLellan “That was a small consolation.”

Ultimately, opted to get the target off its back by outsourcing credit card processing on its site to, a third-party processing company that specializes in securing e-commerce transactions.

“Myself and my IT manager made a pact that we were never going to go back to top-up cards on our server, that we were going to take the site out of the equation,” McLellan said. “At first I thought it would turn customers away, but people don’t seem to care about the extra step. And for me, I go to sleep at night knowing that I’m protecting my customers’ data. Personally, I will never take again [credit cards] on the site. It’s hard enough running a small business, and I don’t want credit card theft to be one of the things I constantly have to worry about.

kichler was another lighting store trapped by the ColdFusion botnet. Company owner Gary Fitterman said the breach cost his company a huge amount of time and money.

“It was like being attacked by terrorists,” Fitterman said. “When we heard what had happened, we immediately went into a frenzy, spent a ton of money to get [forensics experts] to take a look.

Ultimately, Fitterman and his team also opted to outsource credit card processing to a third party, believing it wasn’t worth continuing to handle it in-house.

“Now we can just focus on growing our business, rather than always playing catch-up to make sure we have the latest and greatest,” Fitterman said. “It’s not worth the risk. I don’t think there is as much information out there to educate small businesses like me on everything you need to know before it happens to you.

Among the four dozen sites subservient to the ColdFusion botnet was also the web storefront of LaCiea hardware company specializing in external hard drives.


Clive ondirector of corporate communications for the owner of LaCie Seagatesaid the company has investigated the incident and has so far found no indication that any customer data was compromised in the attack.

“This week, the company received information indicating that a server hosting may have been maliciously targeted and possibly breached at some point during calendar year 2013,” Over said in a statement. press release sent by e-mail. “Privacy and security are of the utmost importance to the Company, and so we took immediate steps to investigate this matter as soon as we became aware of it. The Company conducted a preliminary investigation and, at the time At this time, we do not know whether any company or third-party information was accessed inappropriately. The company is currently working closely with third-party experts to perform further forensic analysis.”

Adobe ColdFusion vulnerabilities have resulted in a number of high profile attacks in the past. In February, a hacker in the UK was accused of accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses in using ColdFusion flaws. According to this Business Week article, Lauri Love was arrested in connection with a sealed case that alleges that between October 2012 and August 2013, Love hacked into computers belonging to the US Department of Health and Human Services, the US Sentencing Commission, Regional Computer Forensics Laboratory and the US Department of Energy.

Update, 12:15 p.m. ET: The Guardian today reported on another apparent victim of ColdFusion’s failure: the automaker Citroen.