Security Experts:

Hackers Exploit ColdFusion Flaw in Microsoft IIS Malware Attack

Attackers used an authentication bypass vulnerability in Adobe's ColdFusion software as a stepping stone in an attack that infected web servers with malware.

Additional details about the attack emerged in recent days as researchers from Trustwave's SpiderLabs continued to dig into reports of malware disguised as modules for Microsoft's Internet Information Services (IIS) software. According to Trustwave, the malware - which they have dubbed ISN – is designed to steal data and targets information in POST requests.

The vulnerability the attackers used was CVE-2013-0629, which Adobe actually patched back in January.

"It is important to also highlight the criticality of having an expedited patching life-cycle," Trustwave's Ryan Barnett blogged, noting that in one incident, the targeted organizations was compromised less than two months after Adobe disclosed the vulnerability.

"In this particular incident, the victim organization was aware of the vulnerability report by Adobe, however they were on a quarterly patching process and had not yet installed the patch," he continued. "Deploying a Web Application Firewall (WAF) is an excellent method for minimizing the Time-to-Patch expsures for web application vulnerabilities. In this case, the victim organization did not have a WAF already deployed so actual software patching was their only option."

The malware's installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

"Encryption is circumvented as the malware extracts this data from IIS itself," blogged Trustwave's Josh Grunzweig last week. "This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance."

view counter