Hackers from the APT group, which is a nation-state cyber-espionage organization, were able to break into Adobe ColdFusion servers after figuring out a means to take advantage of the CVE-2018-15961 exploit. The attacks started two weeks before Adobe officially patched the exploit on their servers in September.
The vulnerability allowed unauthenticated file uploads, causing APT to immediately try and exploit Adobe’s servers. The group uploaded a version of the China Chopper backdoor to the unpatched servers to take over the entire system. Two of Adobe’s servers were affected by the attack.
According to security analyst Matthew Meltzer from Volexity, the vulnerability was caused due to Adobe moving from FCKEditor to CKEditor for its ColdFusion servers. The version of CKEditor Adobe was using had a weaker file upload blacklist, which allowed APT to upload backdoors to the ColdFusion servers.
According to Volexity’s report, there are “numerous systems that appear to have been compromised. The webservers belonged to a variety of organizations, such as educational institutions, state government, health research, humanitarian aid organizations, and more. Each of the sites showed signs of attempted web shell uploads or had HTML files designed to show they had been defaced.”
Soon after Adobe patched the servers, the attackers have been actively trying to get into the ColdFusion servers persistently. The intent behind the attacks is unknown with security logs and artifacts not being analyzed yet by security researchers.
Data breaches are at an all-time high and thanks to regulations by the European Union and the GDPR policy; users are consistently informed about the breaches which were not the case earlier. Adobe has advised ColdFusion server owners to enable automatic updates to ensure maximum security by installing updates in time.
What do you think about the recent rise in security incidents? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle.