Unidentified threat actors breached a server running an unpatched, 11-year-old version of Adobe’s ColdFusion 9 software in minutes to remotely take over control and deploy file-encrypting Cring ransomware on the target’s network 79 hours after the hack.
The attack, reported by Israeli web hosting firm XMission, shows how fast attackers are finding new vulnerabilities to use. And it demonstrates why even mature software products are still at risk, particularly for organizations with dated or unpatched systems.
According to XMission, thousands of ColdFusion servers running the vulnerable version were discovered running on Amazon Web Services Inc.’s cloud-based services in China and Israel nearly two years ago. Security researcher Jordan Wiens found the servers by scanning Amazon’s AWS marketplace for ColdFusion servers. Once he identified them as vulnerable he notified Amazon about the discovery in March 2013. Amazon says it fixed the vulnerability almost immediately after its own security team became aware of it.
A second, more severe bug remained in ColdFusion for more than a year until it was finally resolved in February 2014. Cring Ransomware is the first known attack exploiting those two bugs.
Based on files posted by the attackers, the Cring Ransomware exploit appears to be using legitimate Adobe software to get to vulnerable servers. The attackers appear to have used the legitimate cringdll file to get their code onto vulnerable ColdFusion servers. This file is typically found in thousands of legitimate Adobe software projects it downloads files from, according to Wiens. After getting remote access to vulnerable servers, attackers did not try to change their configuration; instead, they used administrative rights that allowed them to do everything but physically alter servers.
Wiens said the attack demonstrates how important it is to patch systems as soon as new vulnerabilities are discovered. “There’s some kind of disconnect with attackers trying to scan for known vulnerable software on servers for sale on cloud services like AWS and not getting blocked, but I’m not sure there is really a good answer for that,” he said.
ColdFusion is maintained by Adobe Systems Inc., which created the platform, but it has been owned by Macromedia, then Adobe since 2005. The ColdFusion vulnerability dates back to January 2006 when Macromedia patched it with an update. The same vulnerability was used in the 2011 hacking of the website for Wikileaks. That attack later involved a third-party service that was vulnerable to ColdFusion, but it isn’t known if that vendor was responsible.
A little knowledge is a dangerous thing!
Cring Ransomware appears to take advantage of the same vulnerability in Adobe ColdFusion 9 that Wiens found in March 2013. That vulnerability allows an attacker to gain remote administrative access without needing any credentials. Once they get remote access, the attackers are able to use their access to install files disguised as legitimate software, according to Kaspersky Lab, which published an analysis of the Cring Ransomware. Attackers are using cringdll.dll, which is designed to be installed with Adobe ColdFusion 9, Kaspersky Lab said.
The attackers are using the legitimate cringdll.dll file to get their code onto vulnerable ColdFusion servers, according to Wiens. After getting remote access to vulnerable servers, attackers did not try to change their configuration; instead, they used administrative rights that allowed them to do everything but physically alter servers.
“You can say that the attackers were ‘lucky’ this time around because they found a server running an old version of Adobe ColdFusion whose administrator’s panel was exposed on the Internet without any authentication required,” wrote Wiens in a blog post about his research. “The server also had Adobe ColdFusion 9 installed on it. The ColdFusion 9 version was not patched on this particular server; if it had been, the malicious code would not have been able to get on the server in the first place.”
But Wiens said he suspects that this is a targeted attack trying to gain access to a specific site. “It’s my belief that they were actively targeting a specific site,” he said. “I think they were going after a particular site and found it with this.”
To protect against attacks like these, Adrien Guinet, a researcher with Paris-based Quarkslab, recommends keeping all software up-to-date and monitor servers for unusual activity.
Interested in reading about how to prevent ransomware attacks on your home or business? Ransomware Prevention Tactics discusses prevention tactics that can be used against ransomware.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at firstname.lastname@example.org.