In a recent announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm about an active exploitation of a high-severity Adobe ColdFusion vulnerability. This vulnerability, identified as CVE-2023-26360, has been leveraged by unidentified threat actors to gain initial access to government servers.

According to CISA, the vulnerability in ColdFusion presents an improper access control issue, allowing threat actors to execute arbitrary code. The agency disclosed that an unnamed federal agency fell victim to these attacks between June and July 2023.

Prompt action was taken by CISA, which added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog a day after the incident was discovered. The agency cited evidence of active exploitation in the wild. In a separate advisory, Adobe acknowledged the exploitation of the flaw in limited attacks.

CISA's investigation revealed that at least two public-facing servers were compromised as a result of this vulnerability. Both of these servers were running outdated versions of the ColdFusion software, making them more susceptible to exploitation.

The threat actors deployed various commands on the compromised servers, taking advantage of the vulnerability to drop malware using HTTP POST commands and target the directory path associated with ColdFusion. This suggests that the malicious activity was a reconnaissance effort aimed at mapping the broader network. However, no lateral movement or data exfiltration has been observed at this time.

During the incidents, CISA observed the threat actors traversing the filesystem and uploading various artifacts to the web server. These artifacts included binaries capable of exporting web browser cookies and malware specifically designed to decrypt passwords for ColdFusion data sources.

In one instance, a remote access trojan was deployed, which appeared to be a modified version of the ByPassGodzilla web shell. This trojan utilized a JavaScript loader to infect the device and establish communication with an actor-controlled server for executing actions.

The adversary also made attempts to exfiltrate the Windows Registry files and unsuccessfully download data from a command-and-control (C2) server. CISA emphasized that there is strong evidence suggesting that the threat actors accessed the data contained in the ColdFusion seed.properties file through the web shell interface. This file contains the seed value and encryption method used for password encryption.

It is important to note that no malicious code has been found on the victim systems to indicate that the threat actors attempted to decode any passwords using the seed values found in the seed.properties file.

CISA is actively working with affected entities to mitigate the risk and has issued recommendations to update ColdFusion software to the latest version. The agency also advises organizations to regularly apply security patches and maintain up-to-date cybersecurity measures to protect against such vulnerabilities.

As the investigation continues, CISA encourages all organizations, especially government agencies, to remain vigilant and take necessary precautions to safeguard their systems from potential cyber threats.