On Friday Mar 3, 2023 at 12:00pm EST, the Deepwatch Adversary Tactics and Intelligence (ATI) team responded to a customer incident where an EDR alert triggered on a host running Adobe ColdFusion. Once on the call it became clear that forensic level analysis of the file system and IIS logs would be needed in order to assist with the investigation due to log retention gaps.
The ATI responders utilized a forensic collection tool to parse the master file table in order to discover what files the threat actor had modified or created. Once the indicators of compromise were discovered, ATI was able to immediately craft a detection for the Deepwatch customer base. This demonstrates how operationalized organic intelligence protects the Deepwatch customer base.
The result of the investigation found threat actors utilizing an undisclosed vulnerability in Adobe ColdFusion to gain initial access by sending a specifically crafted GET REQUEST that allows Remote Code Execution. On March 14th, Adobe issued a threat warning, and CISA added the vulnerability CVE-2023-26360 to its catalog on March 15th.
“Adobe released the CVE for ColdFusion on 3/14 so we were investigating days prior to the release and had detections in place 10 days before,” according to the ATI team.
In order to provide this level of analysis, ATI responders utilized a forensic analysis server recently built in AWS. Once the client was installed, responders were able to provide immediate forensic level analysis. ATI was able to provide a detailed listing to the customer’s security team of various actions the threat actor performed including deleted files, program execution, lateral movement, and persistence mechanisms in real time. This information was crucial in assisting with containment and recovery strategies.
ATI ran the known indicators of compromise (IOC) of this sophisticated attack vector across the Deepwatch customer base and found these IOCs present in different customer networks. These customers were informed of the vulnerability and containment measures they needed to conduct.
What Should You Do?
This critical arbitrary code execution flaw, identified in MITRE as an Improper Access Control weakness, allows unauthenticated attackers remote access in low-complexity attacks without user interaction. Follow mitigation guidance issued by Adobe and CISA to protect your organization if you are using Adobe ColdFusion.
Deepwatch recommends security teams regularly scan systems for vulnerabilities and patch systems as soon as possible. Prioritization should be placed on those systems that are internet-exposed with a focus on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.