Adobe ColdFusion servers under attack from APT group


A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet.

The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches that Adobe released two weeks before, on September 11.

It appears that hackers studied Adobe’s September patches and figured out how to exploit CVE-2018-15961 to their advantage.

Classified as an “unauthenticated file upload,” this vulnerability allowed this APT group (APT stands for advanced persistent threat, another term used to describe nation-state cyber-espionage groups) to surreptitiously upload a version of the China Chopper backdoor on unpatched servers and take over the entire system.

Matthew Meltzer, a security analyst for Volexity, has told ZDNet that the core issue at the heart of this vulnerability is that Adobe had replaced the technology behind the native ColdFusion WYSIWYG editor from FCKEditor to CKEditor.

CKEditor is a revamped and updated version of the older FCKEditor, but Meltzer says that when Adobe made the switch between the two inside ColdFusion it accidentally opened an unauthenticated file upload vulnerability that it originally patched in FCKEditor’s ColdFusion integration back in 2009.

The problem, according to Meltzer, is that ColdFusion’s initial CKEditor integration featured a weaker file upload blacklist that allowed users to upload JSP files on ColdFusion servers. Since ColdFusion can natively execute JSP files, this created a dangerous situation.

“The attackers we observed noticed that the .jsp extension had been left out and took advantage of this,” Meltzer told ZDNet in an interview today.

Adobe realized its mistake and added JSP files to CKEditor’s file extension upload blacklist in September’s patch.

But this simple change didn’t escape the APT group’s members. Two weeks after Adobe’s patch, the cyber-espionage group started scanning for unpatched ColdFusion servers, and have been uploading a JSP version of the China Chopper backdoor to exploit and take over servers ever since.

It is unclear what attackers want to do with these servers in the future, but they’re most likely going to be used as staging areas to host malware, send spear-phishing, for watering hole attacks, or to disguise other attacks as part of a proxy network –typical APT activity.

“Abusing CVE-2018-15961 is not difficult, thus any organizations running a vulnerable instance of ColdFusion should update as soon as possible,” Meltzer warned.

The researcher says that Volexity has also identified cases over the summer where a group of Indonesian hacktivists has been defacing websites hosted on ColdFusion servers.

While Meltzer and Volexity have not had a chance to review logs and artifacts from the affected companies, they do believe that this group might have used the same vulnerability even before Adobe patched it. Their assumption is based on the locations of files uploaded during these defacements, which suggest unauthorized uploads.

“We have not observed abuse of this vulnerability outside of the APT activity and possibly related criminal web defacement,” Meltzer told us, but this might change in the future.

The company advises ColdFusion server owners to take advantage of the server’s automatic update feature to make sure their servers receive and install updates as soon as they’re available. Volexity has also published a technical report with its recent findings.



Image: Volexity

Related security coverage:

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin56,097 0.91 % 0.56 % 4.76 %
Ethereum4,512.1 1.21 % 0.39 % 0.08 %
Binance Coin611.04 1.20 % 1.06 % 4.25 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana227.00 2.72 % 0.06 % 8.20 %
Cardano1.620 1.25 % 3.69 % 3.58 %
XRP0.9647 0.73 % 0.65 % 7.47 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

Bitcoin (BTC) $ 56,249.00
Ethereum (ETH) $ 4,517.98
Binance Coin (BNB) $ 613.21
Tether (USDT) $ 1.00
Solana (SOL) $ 228.73
Cardano (ADA) $ 1.63
XRP (XRP) $ 0.967889
USD Coin (USDC) $ 1.00
Polkadot (DOT) $ 35.67
Dogecoin (DOGE) $ 0.206889