A Chinese APT group actively exploiting the newly patched vulnerability in Adobe ColdFusion Server and uploading a China Chopper webshell.
The attack was observed by Volexity, after two weeks Adobe released a security update. Attackers compromised numerous Internet accessible ColdFusion webservers including educational institutions, state government, health research, humanitarian aid organizations, and more.
With the recent version of ColdFusion, Adobe replaced the classic FCKeditor with CKEditor which fails to restrict the file types that are allowed to upload.
The default CKEDitor configuration restricts only the following files (cfc,exe,php,asp,cfm,cfml), Volexity observed the APT group uploading .jsp file extension and the ColdFusion allows .jsp files to be actively executed.
Also, the attacker’s directory modification issue which allows them to place another script in some other location even if the .jsp file extension is blocked.
“Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances. Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced.”
The vulnerability tracked as CVE-2018-15961 affects ColdFusion 11 (Update 14 and earlier versions), ColdFusion 2016 release (Update 6 and earlier versions), ColdFusion 2018 release (July 12 release (2018.0.0.310739)).
Users are recommended to install Adobe ColdFusion patches as soon as they are available. Patched versions ColdFusion 2018 (Update 1), ColdFusion 2016 (Update 7), and ColdFusion 11 (Update 15).
Volexity researchers recommend that all ColdFusion Administrator access be restricted to only approved IP addresses and recommend administrators to apply latest updates through Server Update > Updates > Settings panel.
APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…