Cring 勒索软件运营商利用长达 11 年的 Adobe ColdFusion 漏洞
An unknown cybercriminal group in a matter of minutes remotely hacked into a server with an outdated version of Adobe ColdFusion 9 and seized control over it, 和 79 hours later deployed the ransomware Cring on the server.
A server owned by an unnamed service provider was used to collect timesheets and accounting data for payroll, as well as to host a number of virtual machines.
根据 to the experts of the information security company Sophos, the attacks were carried out from an Internet address belonging to the Ukrainian Internet provider Green Floid.
Sophos senior researcher Andrew Brandt says devices with outdated, vulnerable software are a tidbit for hackers.
然而, the big surprise is the fact that the server with 11-year-old software attacked by ransomware was actively and daily used. 作为一项规则, the most vulnerable are unused devices or forgotten “ghost machines”.
After gaining initial access to the server, the attackers used various sophisticated methods of hiding malicious files, injecting code into memory, and concealing an attack by overwriting files with corrupted data. 此外, hackers have deactivated security solutions by taking advantage of the fact that anti-tampering features were disabled.
此类虚假站点上的 OpenOffice 安装程序是与 Babadeda 加密器或 Autoit 引导加载程序一起打包的 Mars 可执行文件, attackers exploited directory traversal vulnerabilities (CVE-2010-2861) in the Adobe ColdFusion 9.0.1 and earlier administration console. The vulnerabilities allowed remote reading of arbitrary files, including files containing administrator password hashes (password.properties).
In the next stage of the attack, the hackers exploited an even earlier vulnerability in ColdFusion (CVE-2009-3960) to upload a malicious Cascading Stylesheet (CSS) file to the attacked server, which in turn downloaded the Cobalt Strike Beacon executable file.
让我提醒你,我们谈到了这样一个事实 Strange malware prevents victims from visiting pirate sites.
