Industrial Control Systems Cyber Emergency Response TeamAA23-339AThreat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
99.6%
Actions to take today to mitigate malicious cyber activity:
- Prioritize remediating known exploited vulnerabilities.
- Employ proper network segmentation.
- Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
References
attack.mitre.org/versions/v13/software/S0160/
attack.mitre.org/versions/v13/software/S0160/
attack.mitre.org/versions/v13/software/S0404/
attack.mitre.org/versions/v13/software/S0404/
attack.mitre.org/versions/v14/
attack.mitre.org/versions/v14/techniques/T1003/001/
attack.mitre.org/versions/v14/techniques/T1003/001/
attack.mitre.org/versions/v14/techniques/T1003/002/
attack.mitre.org/versions/v14/techniques/T1003/002/
attack.mitre.org/versions/v14/techniques/T1016/001/
attack.mitre.org/versions/v14/techniques/T1016/001/
attack.mitre.org/versions/v14/techniques/T1036/005/
attack.mitre.org/versions/v14/techniques/T1036/005/
attack.mitre.org/versions/v14/techniques/T1036/008/
attack.mitre.org/versions/v14/techniques/T1036/008/
attack.mitre.org/versions/v14/techniques/T1046/
attack.mitre.org/versions/v14/techniques/T1046/
attack.mitre.org/versions/v14/techniques/T1059/007/
attack.mitre.org/versions/v14/techniques/T1059/007/
attack.mitre.org/versions/v14/techniques/T1070/004/
attack.mitre.org/versions/v14/techniques/T1070/004/
attack.mitre.org/versions/v14/techniques/T1071/001/
attack.mitre.org/versions/v14/techniques/T1071/001/
attack.mitre.org/versions/v14/techniques/T1082/
attack.mitre.org/versions/v14/techniques/T1082/
attack.mitre.org/versions/v14/techniques/T1083/
attack.mitre.org/versions/v14/techniques/T1083/
attack.mitre.org/versions/v14/techniques/T1087/001/
attack.mitre.org/versions/v14/techniques/T1087/001/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1087/002/
attack.mitre.org/versions/v14/techniques/T1105/
attack.mitre.org/versions/v14/techniques/T1105/
attack.mitre.org/versions/v14/techniques/T1140/
attack.mitre.org/versions/v14/techniques/T1140/
attack.mitre.org/versions/v14/techniques/T1190/
attack.mitre.org/versions/v14/techniques/T1190/
attack.mitre.org/versions/v14/techniques/T1482/
attack.mitre.org/versions/v14/techniques/T1482/
attack.mitre.org/versions/v14/techniques/T1484/001/
attack.mitre.org/versions/v14/techniques/T1484/001/
attack.mitre.org/versions/v14/techniques/T1505/003/
attack.mitre.org/versions/v14/techniques/T1505/003/
attack.mitre.org/versions/v14/techniques/T1518/
attack.mitre.org/versions/v14/techniques/T1518/
attack.mitre.org/versions/v14/techniques/T1564/001/
attack.mitre.org/versions/v14/techniques/T1564/001/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
github.com/cisagov/Decider/
github.com/cisagov/Decider/
github.com/Tas9er/ByPassGodzilla
github.com/Tas9er/ByPassGodzilla
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
nvd.nist.gov/vuln/detail/CVE-2023-26360
nvd.nist.gov/vuln/detail/CVE-2023-26360
packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html
packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
social.technet.microsoft.com/wiki/contents/articles/8548.active-directory-sysvol-and-netlogon.aspx
social.technet.microsoft.com/wiki/contents/articles/8548.active-directory-sysvol-and-netlogon.aspx
twitter.com/CISAgov
twitter.com/intent/tweet?text=Threat%20Actors%20Exploit%20Adobe%20ColdFusion%20CVE-2023-26360%20for%20Initial%20Access%20to%20Government%20Servers+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
www.bleepingcomputer.com/news/security/stealthy-new-javascript-malware-infects-windows-pcs-with-rats/
www.bleepingcomputer.com/news/security/stealthy-new-javascript-malware-infects-windows-pcs-with-rats/
www.cisa.gov/cpg
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/securebydesign
www.cisa.gov/securebydesign
www.cisa.gov/sites/default/files/publications/layering-network-security-segmentation_infographic_508_0.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a&title=Threat%20Actors%20Exploit%20Adobe%20ColdFusion%20CVE-2023-26360%20for%20Initial%20Access%20to%20Government%20Servers
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
www.oig.dhs.gov/
www.usa.gov/
www.virustotal.com/gui/file/a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864/detection
www.virustotal.com/gui/file/a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864/detection
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Threat%20Actors%20Exploit%20Adobe%20ColdFusion%20CVE-2023-26360%20for%20Initial%20Access%20to%20Government%20Servers&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
99.6%