Hackers Breach US Govt Agencies Using Adobe ColdFusion Exploit

Cyber Security Threat Summary:
CISA recently published an advisory warning that hackers are exploiting a critical vulnerability in Adobe ColdFusion to gain initial access to government servers. Tracked as CVE-2023-26360, the flaw relates to an improper access control vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), which could result in arbitrary code execution. CVE-2023-26360 was addressed in March however CISA notes that the flaw was exploited as a zero-day prior to the patches being released. CISA issued a notice about the exploitation attempts in March. However, the agency released another notice this week stating that threat actors are continuing to exploit the flaw, urging federal agencies to apply the security updates as soon as possible.

Security Officer Comments:
CISA highlighted in its advisory that in June 2023, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both cases, the agencies were running outdated versions of software including Adobe ColdFusion (CVE-2023-26360). In the first incident which took place on June 26, the actors exploited CVE-2023-26360 to install a web shell (config.jsp) enabling the attackers to insert code into a ColdFusion configuration file and extract credentials. In the second incident which occurred on June 2, the actors gathered user account information from the targeted system before proceeding to deploy a remote access trojan. CISA notes that both attacks were detected and blocked before the actors could exfiltrate data or move laterally.

Suggested Correction(s):
To prevent potential attacks, CISA recommends organizations to:

  • Prioritize remediating known exploited vulnerabilities (CVE-2023-26360).
  • Employ proper network segmentation.
  • Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats