A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet.
The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches that Adobe released two weeks before, on September 11.
Classified as an “unauthenticated file upload,” this vulnerability allowed this APT group (APT stands for advanced persistent threat, another term used to describe nation-state cyber-espionage groups) to surreptitiously upload a version of the China Chopper backdoor on unpatched servers and take over the entire system.
Matthew Meltzer, a security analyst for Volexity, has told ZDNet that the core issue at the heart of this vulnerability is that Adobe had replaced the technology behind the native ColdFusion WYSIWYG editor from FCKEditor to CKEditor.
CKEditor is a revamped and updated version of the older FCKEditor, but Meltzer says that when Adobe made the switch between the two inside ColdFusion it accidentally opened an unauthenticated file upload vulnerability that it originally patched in FCKEditor’s ColdFusion integration back in 2009.
The problem, according to Meltzer, is that ColdFusion’s initial CKEditor integration featured a weaker file upload blacklist that allowed users to upload JSP files on ColdFusion servers. Since ColdFusion can natively execute JSP files, this created a dangerous situation.
“The attackers we observed noticed that the .jsp extension had been left out and took advantage of this,” Meltzer told ZDNet in an interview today.
Adobe realized its mistake and added JSP files to CKEditor’s file extension upload blacklist in September’s patch.
But this simple change didn’t escape the APT group’s members. Two weeks after Adobe’s patch, the cyber-espionage group started scanning for unpatched ColdFusion servers, and have been uploading a JSP version of the China Chopper backdoor to exploit and take over servers ever since.
It is unclear what attackers want to do with these servers in the future, but they’re most likely going to be used as staging areas to host malware, send spear-phishing, for watering hole attacks, or to disguise other attacks as part of a proxy network –typical APT activity.
“Abusing CVE-2018-15961 is not difficult, thus any organizations running a vulnerable instance of ColdFusion should update as soon as possible,” Meltzer warned.
The researcher says that Volexity has also identified cases over the summer where a group of Indonesian hacktivists has been defacing websites hosted on ColdFusion servers.
While Meltzer and Volexity have not had a chance to review logs and artifacts from the affected companies, they do believe that this group might have used the same vulnerability even before Adobe patched it. Their assumption is based on the locations of files uploaded during these defacements, which suggest unauthorized uploads.
“We have not observed abuse of this vulnerability outside of the APT activity and possibly related criminal web defacement,” Meltzer told us, but this might change in the future.
The company advises ColdFusion server owners to take advantage of the server’s automatic update feature to make sure their servers receive and install updates as soon as they’re available. Volexity has also published a technical report with its recent findings.