Threat Research

Rapid7 Observed Exploitation of Adobe ColdFusion | Rapid7 Blog

Securonix

Rapid7 observed active exploitation of Adobe ColdFusion across multiple customer environments beginning in January 2023, leveraging CVE-2023-26360 and related ColdFusion vulnerabilities for initial access. The campaign involves dropping web shells, encoding PowerShell commands, and using compromised domains such as ooshirts[.]com and av-iq[.]com, with detections and indicators documented by Rapid7. #AdobeColdFusion #CVE-2023-26360 #CVE-2023-29300 #CVE-2023-29298 #CVE-2023-38203 #ooshirts #av-iq #PowerShell #CertUtil #WebShell

Keypoints

  • Rapid7 observed active exploitation of Adobe ColdFusion in multiple customer environments dating back to January 2023, using several CVEs for initial access.
  • Attackers dropped web shells by encoding commands, with ColdFusion 2018 spawning malicious commands.
  • The campaign frequently uses ColdFusion webshell techniques, including passing ColdFusion tags in the command line to create web shells.
  • Compromised infrastructure includes legitimate domains such as ooshirts[.]com and av-iq[.]com that appear in other attacks.
  • Rapid7 has existing and new detection rules in InsightIDR/MDR and guidance to patch ColdFusion (patching vulnerabilities addressed on March 14, 2023).
  • Indicators of compromise include specific filenames, hashes, and web URLs linked to ColdFusion web shells and remote access tools.
  • MITRE ATT&CK mappings in the article link exploitation, execution, persistence, and C2 behaviors to CVEs and web shell techniques.

MITRE Techniques

  • [T1190] Exploit Public Facing Application – Used to gain initial access by exploiting Adobe ColdFusion CVE-2023-26360 for initial access. ‘exploitation of Adobe ColdFusion CVE-2023-26360 for initial access’
  • [T1059] Command and Scripting Interpreter – Encoded commands are executed via scripting interpreters during exploitation. ‘dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.’
  • [T1059.001] PowerShell – Example base64 encoded command executed by malicious actor through ColdFusion. ‘Example base64 encoded command executed by malicious actor through ColdFusion’
  • [T1059.003] Windows Command Shell – ColdFusion 2018 spawns malicious commands. ‘ColdFusion 2018 is spawning malicious commands’
  • [T1505] Server Software Component – Web server components are manipulated to host malicious content. ‘Webshell – Possible ColdFusion Webshell In Command Line’
  • [T1505.003] Web Shell – Web shell techniques used via ColdFusion web roots. ‘Webshell – Possible ColdFusion Webshell In Command Line’
  • [T1132] Data Encoding – Use of encoded payloads (e.g., base64) to conceal command/data. ‘Example base64 encoded command executed by malicious actor through ColdFusion’
  • [T1572] Protocol Tunneling – C2/data exfiltration may utilize nonstandard communication channels (not explicitly described in detail in the article, but listed in MITRE mapping)
  • [T1584] Compromise Infrastructure – Attack infrastructure relies on compromised third-party infrastructure (e.g., compromised domains). ‘The compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.’
  • [T1584.004] Server – Sub-technique indicating use of server infrastructure for exploitation. ‘Server (sub-technique)’

Indicators of Compromise

  • [Filename] ColdFusion WebShell indicators – WOW.TXT, wow.txt, and 5 more filenames (e.g., www.txt, www.cfm, wow1.cfm, zzz.txt, dncat.exe)
  • [SHA-256] ColdFusion WebShell – e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245, 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25, and 3 more hashes
  • [MD5] DotNetCat – 1edf1d653deb9001565b5eff3e50824a, 470797a25a6b21d0a46f82968fd6a184
  • [SHA-1] DotNetCat – 5d95fb365b9d0ceb568bb0c75cb1d70707723f27, dac7867ee642a65262e153147552befb0b45b036
  • [SHA-256] NetCat – 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0, ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419
  • [URL] hXXps://www.av-iq[.]com/wow.txt – ColdFusion WebShell
  • [URL] hXXps://www.ooshirts[.]com/images/zzz.txt – ColdFusion WebShell
  • [URL] hXXps://www.ooshirts[.]com/images/dncat.exe – DotNetCat
  • [URL] hXXp://www.ooshirts[.]com/images/nc.exe – NetCat
  • [FQDN] www.av-iq[.]com – Legitimate Compromised Domain
  • [FQDN] www.ooshirts[.]com – Legitimate Compromised Domain

Read more: https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint