Security researchers at Sophos have shared some details on a cyberattack they recently investigated, in which threat actors exploited a decade-old bug in an 11-year-old installation of Adobe ColdFusion 9 to take over the ColdFusion server and deploy the Cring ransomware.
The intrusion started with the attacker scanning the internet for potential targets and identifying a vulnerable ColdFusion installation on the victim’s website. The attacker then exploited CVE-2010-2861, a directory traversal vulnerability in ColdFusion that allows a remote user to retrieve files from web server directories that aren’t supposed to be available to the public. In this case, the attacker retrieved a file called password.properties from the server.
After that, the attacker made use of another flaw in ColdFusion, CVE-2009-3960 (allows a remote attacker to inject data by exploiting ColdFusion’s XML handling protocols) to upload a web shell to the ColdFusion server, which was then used to load a Cobalt Strike beacon onto the compromised server.
Next, the threat actor uploaded more files to the compromised server, executed commands, created scheduled tasks, deployed additional web shells, created user accounts, and disabled anti-malware engines like Windows Defender.
Roughly 79 hours after the initial compromise the attacker deployed the Cring ransomware, which encrypted files and displayed a note instructing the victim to pay a ransom to obtain the decryptor.
“The server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft end-of-lifed in January, 2020. Adobe declared end-of-life for ColdFusion 9 in 2016. As a result, neither the operating system nor the ColdFusion software could be patched. The incident serves as a stark reminder that IT administrators cannot leave out-of-date critical business systems facing the public internet,” Sophos noted.