Computer hackers have been found to use the Adobe ColdFusion vulnerability which is tracked in the CVE-2018-15961 advisory. This is a known exploit which continues to be widely adopted by various criminal collectives. Targets all over the world have been identified.
The CVE-2018-15961 Adobe ColdFusion Vulnerability Is Being Used by Hackers Worldwide to Infect Targets
Adobe products are constantly being targeted by hackers as they are popular as software products and web technologies. The company releases monthly update fixing the discovered bugs. However not all site owners apply them in due time, consequently becoming victims to the constant ongoing attack campaigns. The associated Adobe Security Bulletin is assigned with the APSB18-33 identifier.
The Adobe ColdFusion vulnerability which is being used by several criminal collectives and patches for it were released in a September update bulletin. According to the Adobe themselves the vulnerability was rated with a rating of “2” however alter on it was changed to “1”.
The actual description of the bug is the following:
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
The attacks are carried out by private exploits which means that the hackers have created a custom malware or script that takes advantage of the risk. Insecure web sites are targeted by it automatically when given the commands. The security report mentions that it is very possible that the criminal collective is from China. The attack mechanism was found to be simple — the hackers will send a crafted HTTP packet to the ColdFusion-based editor file, the vulnerable versions of it do not require authentication and anyone can access them. They will allow the execution of .jsp files which can lead to a file upload of malicious nature to the web shell.
Successful exploitation of the bug leads to the web server infection with various malware presenting conditions for several dangerous scenarios:
- Site Modification — Changes to the web server contents can lead to the delivery of dangerous web scripts which can institute redirects, pop-ups and other dangerous elements to the hosted web sites.
- Cryptocurrency Miners — The Adobe ColdFusion vulnerability allows the hackers to install miners to the sites. Using only a few lines of code they can add this malware element which will be launched as soon as the target site is visited. It will take advantage of the available system resources to execute complex mathematical tasks. Whenever one of them is reported the operators will income in cryptocurrency form which will automatically be transferred to their wallets.
- Malware Delivery — The target sites can be modified to include malware of all types: ransomware, Trojans, viruses and etc.
Adobe products are also constantly targeted by phishing tactics. Last month we reported a fake Flash update led to a miner infection of thousands of computers. At the moment the attacks continue to propagate as not all website owners have updated the Adobe ColdFusion installations. The experts once again recommend that administrators and developers check for the latest updates via the Server Update > Updates > Settings panel. For an in-depth overview of the dangers read the public disclosure.