- Remote attackers can exploit pre-authentication RCE vulnerabilities in Adobe ColdFusion 2021 to seize control of affected systems.
- Adobe has released security patches to address these vulnerabilities, but attackers are still exploiting them.
- The attack campaign involves multiple stages, including probing, reverse shells, and the deployment of malware.
- Four distinct malware strains have been identified: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
- Users are advised to upgrade their systems promptly and deploy protection mechanisms to thwart ongoing attacks.
Numerous users of both Windows and macOS platforms are currently at risk due to vulnerabilities present in Adobe ColdFusion. This software suite, a popular choice for web application development, recently came under attack as remote attackers discovered and exploited pre-authentication remote code execution (RCE) vulnerabilities. Such vulnerabilities granted attackers the ability to seize control of affected systems, raising the alarm to a critical severity level.
The crux of these attacks targets the WDDX deserialization process within Adobe ColdFusion 2021. While Adobe responded swiftly with security updates (APSB23-40, APSB23-41, and APSB23-47), FortiGuard Labs observed continued exploitation attempts.
An analysis of the attack patterns uncovered a process executed by the threat actors. They initiated probing activities using tools like “interactsh” to test the exploit’s effectiveness. These activities were observed involving multiple domains including mooo-ngcom, redteamtf, and h4ck4funxyz. The probing phase provided attackers insights into potential vulnerabilities and served as a precursor to more malicious actions.
The attack campaign’s sophistication extended to the utilization of reverse shells. By encoding payloads in Base64, attackers sought to gain unauthorized access to victim systems, enabling remote control.
Notably, the analysis disclosed a multi-pronged approach, including the deployment of various malware variants. Attacks were launched from distinct IP addresses, raising concerns about the campaign’s widespread reach. Malware payloads were encoded in Base64, concealing their true nature until decoded. Researchers identified four distinct malware strains at play: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
The XMRig Miner, primarily associated with Monero cryptocurrency mining, was harnessed to hijack system processing power. By utilizing version 6.20.0, attackers managed to capitalize on compromised systems for their own financial gain.
A hybrid bot combining cryptojacking and distributed denial of service (DDoS) functionalities, Lucifer emerged as a formidable entity. This malware variant showcased not only its mining capabilities but also its adeptness in command and control operations, propagation through vulnerabilities, and sophisticated DDoS attacks.
RudeMiner, connected to Lucifer, carried a DDoS attack legacy from previous campaigns. Its involvement in the ongoing threat landscape demonstrated its persistence and adaptability, marking it as a significant concern.
The BillGates/Setag backdoor, previously associated with Confluence Server vulnerabilities, resurfaced in this context. Its multifaceted capabilities encompassed system hijacking, C2 communication, and diverse attack methods, including SYN, UDP, ICMP, and HTTP-based attacks.
Despite the availability of security patches, the continuous stream of attacks underscores the urgency of action. Users are strongly advised to upgrade their systems promptly and to deploy protection mechanisms including antivirus services, IPS signatures, web filtering, and IP reputation tracking, to thwart ongoing attacks.