Cring ransomware operators exploit 11-year Adobe ColdFusion vulnerability

An unknown cybercriminal group in a matter of minutes remotely hacked into a server with an outdated version of Adobe ColdFusion 9 and seized control over it, 和 79 hours later deployed the ransomware Cring on the server.

A server owned by an unnamed service provider was used to collect timesheets and accounting data for payroll, as well as to host a number of virtual machines.

According to the experts of the information security company Sophos, the attacks were carried out from an Internet address belonging to the Ukrainian Internet provider Green Floid.

In an attack recently investigated by Sophos, an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely, then to execute ransomware known as Cring on the server, and against other machines on the target’s network.Sophos specialists write.
Andrew Brandt
Andrew Brandt

Sophos senior researcher Andrew Brandt says devices with outdated, vulnerable software are a tidbit for hackers.

然而, the big surprise is the fact that the server with 11-year-old software attacked by ransomware was actively and daily used. 通常, the most vulnerable are unused devices or forgottenghost machines”.

After gaining initial access to the server, the attackers used various sophisticated methods of hiding malicious files, injecting code into memory, and concealing an attack by overwriting files with corrupted data. 另外, hackers have deactivated security solutions by taking advantage of the fact that anti-tampering features were disabled.

In particular, attackers exploited directory traversal vulnerabilities (CVE-2010-2861) in the Adobe ColdFusion 9.0.1 and earlier administration console. The vulnerabilities allowed remote reading of arbitrary files, including files containing administrator password hashes (password.properties).

In the next stage of the attack, the hackers exploited an even earlier vulnerability in ColdFusion (CVE-2009-3960) to upload a malicious Cascading Stylesheet (CSS) file to the attacked server, which in turn downloaded the Cobalt Strike Beacon executable file.

This file served as a conduit for downloading additional payloads, creating accounts with administrator privileges, and even disabling endpoint protection and anti-virus engines like Windows Defender before starting the encryption process.

Let me remind you that we talked about the fact that Strange malware prevents victims from visiting pirate sites.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕