Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers | CISA

MITRE Techniques

• [T1190] Exploit Public-Facing Application – ‘Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.’
• [T1059.007] Command and Scripting Interpreter: JavaScript – ‘d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.’
• [T1505.003] Server Software Component: Web Shell – ‘Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.’
• [T1482] Domain Trust Discovery – ‘Threat actors enumerated domain trusts to identify lateral movement opportunities.’
• [T1046] Network Service Discovery – ‘scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.’
• [T1082] System Information Discovery – ‘Threat actors collected information about the web server and its operating system.’
• [T1083] File and Directory Discovery – ‘threat actors traversed and were able to search through folders on the victim’s web server filesystem.’
• [T1087.001] Account Discovery: Local Account – ‘Threat actors collected information about local user accounts.’
• [T1087.002] Account Discovery: Domain Account – ‘Threat actors collected information about domain users, including identification of domain admin accounts.’
• [T1484.001] Domain Policy Modification: Group Policy – ‘Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.’
• [T1016.001] Internet Connection Discovery – ‘Threat actors periodically tested network connectivity by pinging Google’s DNS.’
• [T1518] Software Discovery – ‘threat actors checked for the presence of ColdFusion version 2018 on the victim web server.’
• [T1003.001] OS Credential Dumping: LSASS Memory – ‘threat actors attempted to harvest user account credentials through LSASS memory dumping.’
• [T1003.002] OS Credential Dumping: Security Account Manager – ‘Threat actors saved and compressed SAM information to .zip files.’
• [T1105] Ingress Tool Transfer – ‘Threat actors were able to upload malicious artifacts to the victim web server.’
• [T1071.001] Application Layer Protocol: Web Protocols – ‘Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.’
• [T1140] Deobfuscate/Decode Files or Information – ‘Threat actors used certutil to decode web shells hidden inside .txt files.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – ‘Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm — an expected configuration file in a standard installation of ColdFusion.’
• [T1036.008] Masquerading: Masquerade File Type – ‘Threat actors used the .txt file extension to disguise malware files.’
• [T1070.004] Indicator Removal: File Deletion – ‘Threat actors deleted files following upload to remove malicious indicators.’
• [T1564.001] Hide Artifacts: Hidden Files and Directories – ‘Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.’