Several threat actors have recently used outdated Adobe software to exploit systems and deploy ransomware payloads, highlighting the ever-evolving tactics that they use to attack networks and deploy the ransomware payloads. It has been discovered that the attack took place during September and early October and was aimed at gaining access to Windows servers and releasing ransomware. However, it was a valuable learning experience, which served as a valuable learning opportunity despite the failure of the attack.
In order to uncover the attack, Sophos researchers examined the threat actor's approach to the attack. The researchers discovered that the attacker intended to use leaked source code from the LockBit 3.0 ransomware family of a malware family known for its fast and effective execution.
Other campaigns have also repurposed different ransomware variants in order to create new variants of the virus.
Threat actors have always been interested in the servers as they are undoubtedly one of the most effective ways of attacking an organization, as they are one of the more efficient paths to penetrate it.
Generally, server-related accounts have the highest privilege levels in the network, making it easy for their administrators to easily move from one machine to another in the network.
There are a variety of threats being delivered to servers that have been observed by Sophos X-Ops, and the most common payloads are the Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells, among others.
Several efforts were made by an unknown actor in September and into the first half of October to exploit vulnerabilities in outdated, unsupported versions of Adobe’s ColdFusion Server software so that they could gain access to the Windows servers on which they were running, and eventually pivot to the exploitation of ransomware infections.
Although no one of these attacks was successful, the telemetry that they provided allowed us to find out who was responsible, and to retrieve the payloads that were being deployed as part of those attacks.
The researchers at Sophos who uncovered the attack found that the threat actor was attempting to deploy ransomware derived from a family of ransomware known as LockBit 3.0 that was created with the leaked source code.
In other campaigns, Sophos researchers also noticed that a similar pattern was occurring. The attackers are likely to have chosen LockBit 3.0 ransomware as the most effective family and the fastest.
A typical approach these threat actors take is aiming for holes in unpatched versions of software, and that is exactly what they did in this case. Rather than implementing new techniques, the attacker used old and unsupported ColdFusion version 11 software to target.
The Adobe ColdFusion service announced last week that three critical vulnerabilities had been discovered. First of all, on July 11, it announced patches for CVE-2023-29300, a deserialization issue that could result in arbitrary code execution, as well as CVE-2023-20298, an improper access control issue that could lead to a security feature bypass.
On July 14, the company also released patches to fix another deserialization vulnerability, CVE-2023-38203, which may result in executing arbitrary code. Adobe made a mistake in sending notification emails to some customers in which it claimed it was aware of attacks targeting CVE-2023-29300.
However, no evidence has been presented that this flaw has been actually exploited.
Rapid7, a cybersecurity firm that has been following the CVE-2023-29298 and CVE-2023-38203 vulnerabilities that were patched last week, reported on Monday that none of them seem to have been exploited in the wild yet.
As Accel7 discovered in its analysis, CVE-2023-38203 has been chained with another vulnerability, likely CVE-2023-38203, which is demonstrated in attacks observed by the firm that were undertaken by attackers who used PowerShell commands to create webshells that gave them access to the targeted system.
A blog post detailing the findings of CVE-2023-38203 was published by researchers at ProjectDiscovery on July 12, just before Adobe announced its patch to address the issue. Rapid7 believes ProjectDiscovery initially thought that by posting the blog post, they were actually disclosing CVE-2023-29300, which had already been fixed by Adobe, but in fact, their blog post was in fact about CVE-2023-38203, which the vendor was still yet to issue a patch for.
As it turned out, Adobe announced patches on July 14 as part of its announcement of patches for CVE-2023-38203, and it clarified that the company was making available a proof-of-concept (PoC) blog post to explain the security hole.
The other important factor is investing in robust endpoint detection and response (EDR) systems, which can detect and prevent ransomware attacks. Effective EDR systems can prevent ransomware attacks from occurring. Using software that is supported by the organization, regularly updating the system, and leveraging security controls that can detect and mitigate evolving threats are important for organizations.
Particularly, endpoint behavioural detection software can be effective in detecting suspicious activities on an endpoint as well as guarding against ransomware attacks by detecting suspicious activities.
The recent failed hack on ColdFusion servers sheds great light on the evolving landscape of ransomware attacks and sheds new light on how ransomware attacks will evolve in the future.
Throughout the course of the year, threat actors continue to increase their tactics and find new vulnerabilities to exploit. There are however several ways in which organizations can effectively protect themselves from cyber threats. They can maintain a fully up-to-date software strategy, implement robust security controls, and use sophisticated endpoint monitoring and response systems.
When it comes to mitigating the risks associated with ransomware, it is crucial to stay proactive and vigilant at all times.
It was reported on March 12, 2023, that the U.S. National Security Agency (NSA) has added to its known exploited vulnerabilities list an Adobe ColdFusion vulnerability with a CVSS score of 8.6 which has been tracked as CVE-2023-26360, which is tracked as the CVE-2023-22132 in the Adobe ColdFusion patched by the vendor.
A serious flaw in this software lies in the way it handles access control, which could allow a remote attacker to execute any code he chooses. As a result of this vulnerability, an arbitrary file system read could also occur, along with a memory leak.