CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Exploit ColdFusion Flaw in Microsoft IIS Malware Attack

Attackers used an authentication bypass vulnerability in Adobe’s ColdFusion software as a stepping stone in an attack that infected web servers with malware.

Attackers used an authentication bypass vulnerability in Adobe’s ColdFusion software as a stepping stone in an attack that infected web servers with malware.

Additional details about the attack emerged in recent days as researchers from Trustwave’s SpiderLabs continued to dig into reports of malware disguised as modules for Microsoft’s Internet Information Services (IIS) software. According to Trustwave, the malware – which they have dubbed ISN – is designed to steal data and targets information in POST requests.

The vulnerability the attackers used was CVE-2013-0629, which Adobe actually patched back in January.

“It is important to also highlight the criticality of having an expedited patching life-cycle,” Trustwave’s Ryan Barnett blogged, noting that in one incident, the targeted organizations was compromised less than two months after Adobe disclosed the vulnerability.

“In this particular incident, the victim organization was aware of the vulnerability report by Adobe, however they were on a quarterly patching process and had not yet installed the patch,” he continued. “Deploying a Web Application Firewall (WAF) is an excellent method for minimizing the Time-to-Patch expsures for web application vulnerabilities. In this case, the victim organization did not have a WAF already deployed so actual software patching was their only option.”

Advertisement. Scroll to continue reading.

The malware’s installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

“Encryption is circumvented as the malware extracts this data from IIS itself,” blogged Trustwave’s Josh Grunzweig last week. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.