A group of cybercriminals are actively invading servers that use the Adobe ColdFusion platform and planting backdoors for future operations. The attacks have occurred since the end of September and target servers that have not been updated with security patches that Adobe released on September 11. The group apparently analyzed these patches and developed exploits for the vulnerability CVE-2018–15961.
Classified as an “unauthenticated file upload,” this vulnerability allowed attackers to load a version of China Chopper backdoor into unpatched servers to take over the entire system.
Two weeks after the Adobe patch was released, the group began searching for uncorrected ColdFusion servers, and has since delivered a JSP (Java Server Pages) version of the China Chopper backdoor to explore and gain control of them. It’s not clear what the attackers want to do with these servers, but will likely be used to host malware, send spear-phishing and perform watering hole attacks.
The company advises ColdFusion server owners to take advantage of the automatic update feature to ensure that their servers receive and install updates as they become available.
Article originally published in the Tempest Soundbites app, available to Tempest customers on Android and iOS versions. To get a credential, talk to your relationship manager.