Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang

Two ColdFusion vulnerabilities patched by Adobe more than a decade ago have been exploited by threat actors in a recent attack, according to cybersecurity firm Sophos.

Two ColdFusion vulnerabilities patched by Adobe more than a decade ago have been exploited by threat actors in a recent attack, according to cybersecurity firm Sophos.

Sophos recently investigated an attack where an unknown threat actor deployed the Cring ransomware on the systems of an unnamed services company. The attack started with the attacker scanning the web for potential targets and identifying a vulnerable ColdFusion installation on the victim’s website.

The hackers then exploited CVE-2010-2861, a ColdFusion path traversal vulnerability that leads to information disclosure, to obtain a password file from the server. They then exploited another old ColdFusion vulnerability, CVE-2009-3960, to upload a web shell file to the server. The web shell was then used to load a Cobalt Strike Beacon payload.

Over the coming days, the cybercriminals uploaded more files to the compromised server, executed commands, created scheduled tasks, deployed additional web shells, created user accounts, and moved to other devices on the network. Roughly 79 hours after the initial intrusion, they delivered the Cring ransomware, which encrypted files and delivered a note instructing the victim to pay a ransom to obtain the decryptor.

Cring ransomware

Sophos noted that the initially targeted server was running ColdFusion 9, which reached end of life in 2016, and Windows Server 2008, which is no longer supported by Microsoft since January 2020 (except for organizations that pay for Extended Security Updates).

While CVE-2010-2861 has been known to be exploited in attacks, there do not appear to be any reports of CVE-2009-3960 being leveraged in attacks. However, exploits for CVE-2009-3960 are included in several hacking tools so it’s not surprising that it has been used by malicious actors.

As for the Cring ransomware, Kaspersky reported earlier this year that it had been deployed in attacks aimed at industrial organizations. In the attacks seen by the security firm, the hackers exploited a FortiOS vulnerability patched by Fortinet in 2019 (CVE-2018-13379).

“Cring ransomware isn’t new, but it’s uncommon,” said Andrew Brandt, principal researcher at Sophos. “In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.”

Advertisement. Scroll to continue reading.

Related: Adobe Patches ColdFusion Vulnerability Exploited in the Wild

Related: Adobe Patches Critical ColdFusion Security Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.