Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Exploit ColdFusion Flaw in Microsoft IIS Malware Attack

Attackers used an authentication bypass vulnerability in Adobe’s ColdFusion software as a stepping stone in an attack that infected web servers with malware.

Attackers used an authentication bypass vulnerability in Adobe’s ColdFusion software as a stepping stone in an attack that infected web servers with malware.

Additional details about the attack emerged in recent days as researchers from Trustwave’s SpiderLabs continued to dig into reports of malware disguised as modules for Microsoft’s Internet Information Services (IIS) software. According to Trustwave, the malware – which they have dubbed ISN – is designed to steal data and targets information in POST requests.

The vulnerability the attackers used was CVE-2013-0629, which Adobe actually patched back in January.

“It is important to also highlight the criticality of having an expedited patching life-cycle,” Trustwave’s Ryan Barnett blogged, noting that in one incident, the targeted organizations was compromised less than two months after Adobe disclosed the vulnerability.

“In this particular incident, the victim organization was aware of the vulnerability report by Adobe, however they were on a quarterly patching process and had not yet installed the patch,” he continued. “Deploying a Web Application Firewall (WAF) is an excellent method for minimizing the Time-to-Patch expsures for web application vulnerabilities. In this case, the victim organization did not have a WAF already deployed so actual software patching was their only option.”

The malware’s installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

“Encryption is circumvented as the malware extracts this data from IIS itself,” blogged Trustwave’s Josh Grunzweig last week. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.