Two ColdFusion vulnerabilities patched by Adobe more than a decade ago have been exploited by threat actors in a recent attack, according to cybersecurity firm Sophos.
Sophos recently investigated an attack where an unknown threat actor deployed the Cring ransomware on the systems of an unnamed services company. The attack started with the attacker scanning the web for potential targets and identifying a vulnerable ColdFusion installation on the victim’s website.
The hackers then exploited CVE-2010-2861, a ColdFusion path traversal vulnerability that leads to information disclosure, to obtain a password file from the server. They then exploited another old ColdFusion vulnerability, CVE-2009-3960, to upload a web shell file to the server. The web shell was then used to load a Cobalt Strike Beacon payload.
Over the coming days, the cybercriminals uploaded more files to the compromised server, executed commands, created scheduled tasks, deployed additional web shells, created user accounts, and moved to other devices on the network. Roughly 79 hours after the initial intrusion, they delivered the Cring ransomware, which encrypted files and delivered a note instructing the victim to pay a ransom to obtain the decryptor.
Sophos noted that the initially targeted server was running ColdFusion 9, which reached end of life in 2016, and Windows Server 2008, which is no longer supported by Microsoft since January 2020 (except for organizations that pay for Extended Security Updates).
While CVE-2010-2861 has been known to be exploited in attacks, there do not appear to be any reports of CVE-2009-3960 being leveraged in attacks. However, exploits for CVE-2009-3960 are included in several hacking tools so it’s not surprising that it has been used by malicious actors.
As for the Cring ransomware, Kaspersky reported earlier this year that it had been deployed in attacks aimed at industrial organizations. In the attacks seen by the security firm, the hackers exploited a FortiOS vulnerability patched by Fortinet in 2019 (CVE-2018-13379).
“Cring ransomware isn’t new, but it’s uncommon,” said Andrew Brandt, principal researcher at Sophos. “In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.”