Home > Cyber News > Ancient ColdFusion Flaw (CVE-2010-2861) Exploited to Drop Cring Ransomware

Ancient ColdFusion Flaw (CVE-2010-2861) Exploited to Drop Cring Ransomware

ColdFusion Vulnerabilities CVE-2010-2861, CVE-2009-3960
Cybercriminals recently exploited an old vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely.

The purpose of the attack was to drop the Cring ransomware and compromise other machines on the targeted network, according to a Sophos report.

“While several other machines were “bricked” by the ransomware, the server hosting ColdFusion was partially recoverable, and Sophos was able to pull evidence in the form of logs and files from the machine,” the researchers said.

Old Software, Sophisticated Techniques

Not only were attackers using quite an obscure vulnerability but the ColdFusion server was running Windows Server 2008, which had its end-of-life in January last year. Adobe, on the other hand, pulled off ColdFusion 9 in 2016. Because of this, neither the OS nor the ColdFusion software could be patched, Sophos noted.

The attack is a great reminder of how crucial it is for IT administrators to keep all critical business systems up-to-date, especially when these are facing the public internet. It is rather curious, though, that despise exploiting an old security flaw and software, the attackers used “fairly sophisticated techniques to conceal their files.” They also injected code into memory, and concealed their tracks by deletion logs and other artifacts.

ColdFusion Vulnerabilities CVE-2010-2861, CVE-2009-3960

To be more specific, the attackers used two specific ColdFusion vulnerabilities. CVE-2010-2861, a directory traversal vulnerability, was used to retrieve a file called password.properties from the server. The other ColdFusion flaw exploited in this attack is CVE-2009-3960, which permits a remote attacker to inject data through an abuse of ColdFusion’s XML handling protocols. This allowed the attacker to upload a file to the ColdFusion server by performing an HTTP POST to the /flex2gateway/amf path on the server, Sophos noted.

In 2018, hackers exploited another Adobe ColdFusion vulnerability, tracked as CVE-2018-15961.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree