Thursday, April 18, 2024

APT Group Actively Exploiting Internet-facing Vulnerable ColdFusion Server and Uploading Webshell

A Chinese APT group actively exploiting the newly patched vulnerability in Adobe ColdFusion Server and uploading a China Chopper webshell.

The attack was observed by Volexity, after two weeks Adobe released a security update. Attackers compromised numerous Internet accessible ColdFusion webservers including educational institutions, state government, health research, humanitarian aid organizations, and more.

With the recent version of ColdFusion,  Adobe replaced the classic FCKeditor with CKEditor which fails to restrict the file types that are allowed to upload.

The default CKEDitor configuration restricts only the following files (cfc,exe,php,asp,cfm,cfml), Volexity observed the APT group uploading .jsp file extension and the ColdFusion allows .jsp files to be actively executed.

Also, the attacker’s directory modification issue which allows them to place another script in some other location even if the .jsp file extension is blocked.

“Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances. Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced.”

The vulnerability tracked as CVE-2018-15961 affects ColdFusion 11 (Update 14 and earlier versions), ColdFusion 2016 release (Update 6 and earlier versions), ColdFusion 2018 release (July 12 release (2018.0.0.310739)).

Users are recommended to install Adobe ColdFusion patches as soon as they are available. Patched versions ColdFusion 2018 (Update 1), ColdFusion 2016 (Update 7), and ColdFusion 11 (Update 15).

Volexity researchers recommend that all ColdFusion Administrator access be restricted to only approved IP addresses and recommend administrators to apply latest updates through Server Update > Updates > Settings panel.

Related Read

APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands

APT Group Uses Dangerous LoJax Malware That Can Survive After OS Re-installation and Hard Disk Replacement


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles