A Chinese APT group actively exploiting the newly patched vulnerability in Adobe ColdFusion Server and uploading a China Chopper webshell.
The attack was observed by Volexity, after two weeks Adobe released a security update. Attackers compromised numerous Internet accessible ColdFusion webservers including educational institutions, state government, health research, humanitarian aid organizations, and more.
With the recent version of ColdFusion, Adobe replaced the classic FCKeditor with CKEditor which fails to restrict the file types that are allowed to upload.
The default CKEDitor configuration restricts only the following files (cfc,exe,php,asp,cfm,cfml), Volexity observed the APT group uploading .jsp file extension and the ColdFusion allows .jsp files to be actively executed.
Also, the attacker’s directory modification issue which allows them to place another script in some other location even if the .jsp file extension is blocked.
“Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances. Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced.”
The vulnerability tracked as CVE-2018-15961 affects ColdFusion 11 (Update 14 and earlier versions), ColdFusion 2016 release (Update 6 and earlier versions), ColdFusion 2018 release (July 12 release (2018.0.0.310739)).
Users are recommended to install Adobe ColdFusion patches as soon as they are available. Patched versions ColdFusion 2018 (Update 1), ColdFusion 2016 (Update 7), and ColdFusion 11 (Update 15).
Volexity researchers recommend that all ColdFusion Administrator access be restricted to only approved IP addresses and recommend administrators to apply latest updates through Server Update > Updates > Settings panel.
APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands
Recent revelations about Google’s SafetyCore app have ignited a firestorm of privacy debates, echoing Apple’s…
Security researchers have uncovered a novel Bluetooth tracking vulnerability in Apple’s Find My network –…
Cybersecurity firm Group-IB, alongside the Royal Thai Police and Singapore Police Force, announced the arrest…
Cisco Systems has issued a critical security advisory for a newly disclosed command injection vulnerability…
A newly discovered Wi-Fi jamming technique enables attackers to selectively disconnect individual devices from networks…
GitLab has urgently released security updates to address multiple high-severity vulnerabilities in its platform that…