Summary: Hackers are actively exploiting a severe vulnerability in Adobe ColdFusion, identified as CVE-2023-26360, to gain initial access to government servers. The flaw allows the execution of arbitrary code on servers running outdated versions of Adobe ColdFusion. The Cybersecurity and Infrastructure Security Agency (CISA) recently reported two incidents where federal agency systems were impacted this vulnerability.

In the first incident on June 26, a server running Adobe ColdFusion 2016.0.0.3 was breached. The hackers exploited the vulnerability to install a web shell, allowing them to inject code into a ColdFusion configuration file and extract credentials. They attempted to conceal their activities deleting files and creating hidden files in the directory.

The second incident occurred on June 2, targeting a server running Adobe ColdFusion 2021.0.0.2. The attackers gathered user account information before dropping a remote access trojan onto the system. They then attempted to exfiltrate sensitive registry files and security account manager (SAM) information. The attackers utilized available security tools to gain access to the SYSVOL directory.

Fortunately, both attacks were detected and blocked before any data exfiltration or lateral movement occurred. The compromised assets were promptly removed from vital networks within 24 hours.

CISA emphasizes that these attacks were reconnaissance efforts, and it remains uncertain if they were carried out the same threat actor. To mitigate the risk, CISA recommends upgrading to the latest version of Adobe ColdFusion, implementing network segmentation, setting up firewalls or Web Application Firewalls (WAF), and enforcing policies for signed software execution.

It is crucial for organizations, especially those in the government sector, to prioritize the security of their systems promptly applying security updates and following best practices to protect against potential cyber threats.