Hackers Exploit Pre-Authentication RCE Vulnerabilities in Adobe ColdFusion
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Adobe ColdFusion is a Java-based, commercial web app development platform using CFML for server-side programming.
ColdFusion is primarily known for its tag-based approach, which is unique. Besides this, it is also popular among developers for its adaptability across various industries.
The cybersecurity researchers at Fortinet recently uncoverd that Windows and macOS users face risk from Adobe ColdFusion vulnerabilities, targeted by remote attackers for pre-authentication RCE exploits.
Technical Analysis
Hackers target the URI ‘/CFIDE/adminapi/accessmanager.cfc,’ injecting payloads via a POST request into the ‘argumentCollection’ parameter.
Attacker’s webpage at different times on 8/24
Threat actors can misuse it to validate the vulnerabilities by monitoring the domains, and here are the related domains collected by security experts:-
Probing activities involving other domains (Source – Fortinet)
Attackers employ reverse shells for exploiting system vulnerabilities, like in Adobe ColdFusion, using Base64-encoded payloads.
It’s been identified that from several IP addresses, all these attacks originated, and here below we have mentioned them:-
The malware was distributed from a publicly accessible HTTP file server:-
Malware Variants
Here below, we have mentioned all the malware variants that the security analyst discovered:
Researchershave been monitoring this flaw for weeks and have seen many attacks against Adobe ColdFusion. They continue to be exploited in the wild despite introducing fixes to address these flaws. Users should upgrade affected systemsto prevent threat probing.
IoCs
Attacker’s IP Address:
Malware Server’s IP Address:
Files:
#Vulnerability
Оригинальная версия на сайте:
Hackers Exploit Pre-Authentication RCE Vulnerabilities in Adobe ColdFusion
Author: GuruAdobe ColdFusion is a Java-based, commercial web app development platform using CFML for server-side programming.
ColdFusion is primarily known for its tag-based approach, which is unique. Besides this, it is also popular among developers for its adaptability across various industries.
The cybersecurity researchers at Fortinet recently uncoverd that Windows and macOS users face risk from Adobe ColdFusion vulnerabilities, targeted by remote attackers for pre-authentication RCE exploits.
Technical Analysis
Hackers target the URI ‘/CFIDE/adminapi/accessmanager.cfc,’ injecting payloads via a POST request into the ‘argumentCollection’ parameter.
Attacker’s webpage at different times on 8/24Threat actors can misuse it to validate the vulnerabilities by monitoring the domains, and here are the related domains collected by security experts:-
- mooo-ng[.]com
- redteam[.]tf
- h4ck4fun[.]xyz
Probing activities involving other domains (Source – Fortinet)
Attackers employ reverse shells for exploiting system vulnerabilities, like in Adobe ColdFusion, using Base64-encoded payloads.
It’s been identified that from several IP addresses, all these attacks originated, and here below we have mentioned them:-
- 81[.]68[.]214[.]122
- 81[.]68[.]197[.]3
- 82[.]156[.]147[.]183
The malware was distributed from a publicly accessible HTTP file server:-
- 103[.]255[.]177[.]55[:]6895
Malware Variants
Here below, we have mentioned all the malware variants that the security analyst discovered:
- XMRig Miner: It’s a software program that uses CPU cycles for Monero mining for both legitimate and malicious purposes.
- DDoS/Lucifer: It’s a hybrid bot with cryptojacking, DDoS, C2, vulnerability exploitation, and DDoS capabilities, which was reported in 2020.
- RudeMiner: It’s also a hybrid version of a malware bot that targets the crypto wallet and carries out DDoS attacks.
- BillGates/Setag: This backdoor version is mainly known for hijacking, C2 server communication, and attacks. However, in this scenario, through the checking procedure with the file “bill.lock,” this malware could be detected.
Researchershave been monitoring this flaw for weeks and have seen many attacks against Adobe ColdFusion. They continue to be exploited in the wild despite introducing fixes to address these flaws. Users should upgrade affected systemsto prevent threat probing.
IoCs
Attacker’s IP Address:
- 81[.]68[.]214[.]122
- 81[.]68[.]197[.]3
- 82[.]156[.]147[.]183
Malware Server’s IP Address:
- 103[.]255[.]177[.]55:6895
Files:
- 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
- 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
- 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
- 4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a
#Vulnerability
Оригинальная версия на сайте:
