Federal agency breached through Adobe ColdFusion vulnerability

Public-facing servers at a U.S. federal agency were compromised by hackers in June and July through a vulnerability in a popular product from Adobe, according to the nation’s leading cybersecurity agency.

The unidentified hackers exploited CVE-2023-26360 — a bug affecting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) as well as earlier installations of the software that Adobe no longer supports.

ColdFusion is a tool used by organizations for rapid web-application development, allowing them to build web applications and integrate things like databases and other third-party libraries.

An analysis of network logs confirmed the compromises, according to the Cybersecurity and Infrastructure Security Agency (CISA).

“In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances,” CISA said in an advisory on Tuesday.

The advisory does not name the agency. CISA said it does not know if the same hackers perpetrated both attacks.

“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment,” CISA said.

The affected agency was running outdated versions of software vulnerable to several bugs including CVE-2023-26360, the advisory said. CISA’s analysis showed the hackers inserted malware and were mainly launching a reconnaissance campaign.

There is no evidence of data exfiltration or lateral movement by the hackers, CISA said.

As early as June 2, the intruders exploited the vulnerability to gain access to a public-facing server, CISA said.

The hackers tried to exfiltrate some files, but the attempt was not successful because the activity was detected and “quarantined,” the advisory said. Other attempts to download data were blocked by the victimized server.

The hackers were able to view data contained in a ColdFusion file that contained the encryption method used to encrypt ColdFusion passwords, CISA said.

Hackers again gained a foothold on June 26 after attacking a public-facing web server running ColdFusion, the advisory said. The agency removed the server from the network within 24 hours of receiving an alert.

The malware used on the server during this incident attempted to decrypt passwords for ColdFusion data sources, but it only worked on ColdFusion version 8 or older. The version used by the agency was newer, CISA said.

Spotted in the spring

CISA noted that it added CVE-2023-26360 to its list of Known Exploited Vulnerabilities in March and ordered all federal agencies to patch the flaw by April 5.

Adobe has warned throughout 2023 of vulnerabilities affecting ColdFusion.

In October, researchers at cybersecurity company Sophos said they saw hackers use a knockoff of the LockBit ransomware to target outdated and unsupported Adobe ColdFusion servers.

CISA’s report highlights the necessity of federal agencies to use logging software as a way to identify security incidents.

A report issued Monday from the U.S. Government Accountability Office said many civilian agencies “have not met the federal requirements for event logging — i.e., ensuring that cybersecurity incidents are tracked and that these tracking logs are appropriately retained and managed.”

“Information from federal IT logs is invaluable in the detection, investigation, and remediation of cyberthreats,” they said. “We recommended that federal agencies fully implement requirements to log cybersecurity events, and more.”

Twenty of 23 major civilian agencies examined “have not met requirements for investigation and remediation (event logging) capabilities.” The agencies were required to meet certain logging requirements by August. CISA did not specify in Tuesday’s advisory if the two attacked agencies were subject to that requirement.

“Until the agencies implement all event logging requirements, the federal government's ability to fully detect, investigate, and remediate cyber threats will be constrained,” the GAO said.

“Agencies described three key challenges that hindered their abilities to fully prepare to respond to cybersecurity incidents: (1) lack of staff, (2) event logging technical challenges, and (3) limitations in cyber threat information sharing.”