Fortinet has recently discovered a concerning trend of threat exploitation targeting Adobe ColdFusion, a popular web development platform. Despite Adobe releasing security updates (APSB23-40, APSB23-41, and APSB23-47) in July to address critical vulnerabilities, the exploitation attempts have persisted.
FortiGuard Labs IPS telemetry data has continued to detect numerous attacks attempting to exploit the deserialization vulnerability in ColdFusion related to the Web Distributed Data eXchange (WDDX) data. This particular vulnerability is especially dangerous as it could potentially lead to arbitrary code execution on targeted systems.
The attacks observed include probing activities using tools like interactsh, which can generate domain names to test exploit success. Attackers have also been establishing reverse shells to gain unauthorized access to victim computers, a technique that can enable them to exploit vulnerabilities and take control of the system.
FortiGuard Labs has identified four malware variants used in these exploitation attempts, each with its own malicious functionalities:
– XMRig Miner, which hijacks computer processing power to mine for the Monero cryptocurrency
– Satan DDoS/Lucifer, a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) capabilities
– RudeMiner/SpreadMiner, similar to Lucifer in its malicious activities
– BillGates/Setag, a backdoor known for taking over systems, communicating with command and control servers, and launching attacks
Despite patches being available for these vulnerabilities, public attacks are still ongoing. FortiGuard Labs strongly advises users to promptly upgrade their systems and apply FortiGuard protection to safeguard against these threats.
In conclusion, the persistent exploitation attempts targeting Adobe ColdFusion highlight the importance of staying vigilant and proactive in ensuring the security of web development platforms. Stay informed, update your systems, and utilize security measures to protect against potential threats.