CISA Publish Joint Advisory on Cyber Actors Exploiting Adobe ColdFusion - 20231208002¶
Overview¶
Since the publication of Advisory #20231206002, CISA have released a joint Cybersecurity Advisory (CSA) Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers in response to the active exploitation of Adobe ColdFusion versions. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations.
Background and Technical Details¶
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs.
Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
Recommendations¶
The WA SOC encourages administrators to review this guidance and implement its mitigations and recommendations. Additionally, it is highly recommended to review the noted Incident details for additional TTPs used for context and reference when performing investigation.