Threat Research

Multiple Threats Target Adobe ColdFusion Vulnerabilities | FortiGuard Labs

Fortinet

FortiGuard Labs found active exploitation attempts against Adobe ColdFusion deserialization flaws, where attackers inject payloads into the /CFIDE/adminapi/accessmanager.cfc endpoint to probe, spawn reverse shells, and deploy multiple malware families. Observed toolsets and payloads include Base64-encoded reverse shells, interactsh-based probing domains, and downloads from an HTTP file server hosting XMRig, Lucifer (Satan DDoS), RudeMiner, and BillGates/Setag. #AdobeColdFusion #XMRig

Keypoints

  • Attackers target the ColdFusion CFC endpoint /CFIDE/adminapi/accessmanager.cfc, injecting payloads via the argumentCollection POST parameter.
  • Probing activity uses interactsh-generated domains and other domains (e.g., mooo-ng[.]com, redteam[.]tf, h4ck4fun[.]xyz) to validate successful exploitation.
  • Exploits frequently deliver Base64-encoded payloads that decode to reverse shells (connect-back shells) to gain remote command execution.
  • Malware and additional payloads are fetched from a public HTTP file server at 103[.]255[.]177[.]55:6895 used to distribute multiple variants.
  • Observed malware families include XMRig (cryptominer), Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag, some with persistence and DDoS capabilities.
  • Persistence techniques include Windows registry Run keys and scheduled tasks (schtasks); DDoS methods span SYN, UDP, ICMP, and HTTP-based attacks.
  • Key IOCs include attacker IPs 81[.]68[.]214[.]122, 81[.]68[.]197[.]3, 82[.]156[.]147[.]183, the malware server 103[.]255[.]177[.]55:6895, and multiple file hashes.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers inject payloads into a ColdFusion component endpoint to achieve code execution (‘The targeted URI of the attack is “/CFIDE/adminapi/accessmanager.cfc,” which serves as a legitimate ColdFusion Component (CFC) endpoint. Attackers attempt to inject their payload into the “argumentCollection” parameter’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Base64-encoded payloads decode to shell commands that establish reverse shells (‘Some exploits directed at the Adobe ColdFusion vulnerability use payloads encoded in Base64.’).
  • [T1105] Ingress Tool Transfer – Malware and binaries are downloaded from an attacker-controlled HTTP file server to the victim (‘the threat actor distributed this malware from the same server 103[.]255[.]177[.]55[:]6895’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Use of publicly accessible HTTP file server for payload hosting and delivery (‘The server (103[.]255[.]177[.]55[:]6895) is a publicly accessible HTTP file server’).
  • [T1547.001] Registry Run Keys/Startup Folder – Lucifer establishes persistence by creating registry Run entries (‘Lucifer establishes persistence by configuring registry key values under “SoftwareMicrosoftWindowsCurrentVersionRun.”’).
  • [T1053.005] Scheduled Task/Job – Use of schtasks to create recurring miner tasks for persistence (‘It also employs “schtasks” to initialize its miner parameter and create a recurring task for persistence’).
  • [T1498] Network Denial of Service – Malware families include DDoS capabilities using multiple methods including SYN, UDP, ICMP, and HTTP (‘The malware’s DDoS attack capabilities… encompass methods such as SYN, UDP, ICMP, and HTTP-based attacks.’).

Indicators of Compromise

  • [Attacker IPs] observed source IP addresses used for exploitation and probing – 81[.]68[.]214[.]122, 81[.]68[.]197[.]3 (also 82[.]156[.]147[.]183)
  • [Malware server IP] HTTP file server hosting payloads – 103[.]255[.]177[.]55:6895
  • [Domains] probing/validation domains seen in traffic – mooo-ng[.]com, redteam[.]tf, and h4ck4fun[.]xyz
  • [File hashes] distributed payloads / binaries – 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c, and 2 more hashes

Fortinet-focused technical rewrite:

Attack flow begins with exploitation of an Adobe ColdFusion insecure deserialization vulnerability through the CFIDE admin API endpoint (/CFIDE/adminapi/accessmanager.cfc). Attackers send crafted POST requests embedding serialized objects in the argumentCollection parameter; successful exploitation yields arbitrary code execution. Initial reconnaissance often uses interactsh-generated domains and other observable domains (for example mooo-ng[.]com, redteam[.]tf, h4ck4fun[.]xyz) to verify exploit success remotely.

Payloads are commonly Base64-encoded and, once decoded on the target, spawn reverse shells to enable command execution and remote control. Additional tooling and malware binaries are retrieved from a public HTTP file server (103[.]255[.]177[.]55:6895), which served updated payloads over the campaign. Observed payloads include XMRig (cryptominer), Lucifer/Satan DDoS (with C2 and propagation features), RudeMiner, and BillGates/Setag; these families exhibit persistence (registry Run keys, schtasks), mining configuration, and DDoS modules (SYN/UDP/ICMP/HTTP).

Defensive telemetry and IOCs: monitor for POST requests to /CFIDE/adminapi/accessmanager.cfc with large or unusual argumentCollection payloads, Base64-encoded command blobs, HTTP downloads from 103[.]255[.]177[.]55:6895, and connections to the listed attacker IPs (81[.]68[.]214[.]122, 81[.]68[.]197[.]3, 82[.]156[.]147[.]183). Blocklisted hashes and IPS signatures (e.g., Adobe.ColdFusion.CVE-2023-38204.Insecure.Deserialization, CVE-2023-38203, CVE-2023-29300) should be applied, and systems must be patched to the fixed ColdFusion releases to prevent further exploitation.

Read more: https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint