November 9, 2018 at
According to information gathered by Volexity researchers, a spying group is aggressively hacking into the servers of Adobe ColdFusion and creating backdoors for future attacks. This attack has been ongoing since late September with servers not updated with security patches released by Adobe on September 11. Apparently, the hackers have studied Adobe’s September patches and discovered a means of exploiting the CVE-2018-15961 to its advantage.
Categorized as an “unauthenticated file upload,” this weakness allowed this nation-state cyber-espionage group to sneakily upload a version of the China Chopper backdoor on unpatched servers and have control over the entire system.
A security analyst for Volexity, Matthew Meltzer told ZDNet that the primary issue is that Adobe had swapped the technology behind the native ColdFusion WYSIWYG editor from FCKEditor to CKEditor. The CKEditor is an overhauled and updated version of the FCKEditor; however, Meltzer indicated that during the switch between CKEditor and FCKEditor, Adobe accidentally opened an unauthenticated file upload vulnerability that it originally patched in FCKEditor’s ColdFusion integration back in 2009.
How the attack was possible
The main issue is that the initial CKEditor integration had a weaker file upload blacklist, which enables users to upload JSP files on the servers. Considering the fact that ColdFusion can natively execute JSP files, this caused a severe situation. Meltzer in an interview with ZDNet indicated that the attackers noticed that the JSP files were left out and took advantage of the situation. Adobe discovered its mistake, which made the company add the JSP files to the CKEditor’s file extension upload blacklist during it September patch.
As simple as the change was, it didn’t escape the APT group members (ATP means Advanced Persistent Threat). Two weeks after the patch from Adobe, the group began scanning for unpatched ColdFusion servers and kept uploading a JSP version of the China Chopper backdoor to take advantage of the servers.
Currently, it is unclear what the attackers will do with these servers in time to come, however, it is likely that the attackers will use it as a staging zone to host malware, for watering hole attacks, send spear-phishing, or disguise other attacks as part of a proxy network.
While Volexity and Meltzer didn’t have the opportunity to review artifacts and logs from companies affected, there are insinuations that the group may have used the vulnerability besides the Adobe patched. These insinuations are based on the uploaded file location during such defacements, which signifies unauthorized uploads. The company owners of ColdFusion server to leverage the automatic server update feature to ensure its servers get and install updates as soon as possible. Furthermore, Meltzer highlighted that there hasn’t been any abuse of this vulnerability but this may change in the future.