“While several other machines were “bricked” by the ransomware, the server hosting ColdFusion was partially recoverable, and Sophos was able to pull evidence in the form of logs and files from the machine,” the researchers said.
Old Software, Sophisticated Techniques
Not only were attackers using quite an obscure vulnerability but the ColdFusion server was running Windows Server 2008, which had its end-of-life in January last year. Adobe, on the other hand, pulled off ColdFusion 9 in 2016. Because of this, neither the OS nor the ColdFusion software could be patched, Sophos noted.
The attack is a great reminder of how crucial it is for IT administrators to keep all critical business systems up-to-date, especially when these are facing the public internet. It is rather curious, though, that despise exploiting an old security flaw and software, the attackers used “fairly sophisticated techniques to conceal their files.” They also injected code into memory, and concealed their tracks by deletion logs and other artifacts.
ColdFusion Vulnerabilities CVE-2010-2861, CVE-2009-3960
To be more specific, the attackers used two specific ColdFusion vulnerabilities. CVE-2010-2861, a directory traversal vulnerability, was used to retrieve a file called password.properties from the server. The other ColdFusion flaw exploited in this attack is CVE-2009-3960, which permits a remote attacker to inject data through an abuse of ColdFusion’s XML handling protocols. This allowed the attacker to upload a file to the ColdFusion server by performing an HTTP POST to the /flex2gateway/amf path on the server, Sophos noted.
In 2018, hackers exploited another Adobe ColdFusion vulnerability, tracked as CVE-2018-15961.