Remote attackers have discovered and exploited pre-authentication remote code execution (RCE) vulnerabilities in Adobe ColdFusion 2021, allowing them to take control of affected systems. This has put numerous users of both Windows and macOS platforms at risk. Adobe has released security patches to address these vulnerabilities, but attackers are still taking advantage of them.
The attack campaign involves multiple stages, including probing, reverse shells, and the deployment of malware. Attackers have been using tools like “interactsh” to test the effectiveness of the exploit. Through probing activities, attackers gain insights into potential vulnerabilities and lay the groundwork for more malicious actions.
In addition to probing, attackers have also utilized reverse shells to gain unauthorized access to victim systems. By encoding payloads in Base64, they are able to remotely control compromised systems.
The attack campaign has also involved the deployment of various malware strains. Four distinct malware strains have been identified: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
The XMRig Miner is primarily associated with Monero cryptocurrency mining. Attackers have been harnessing this malware to hijack system processing power and generate financial gain for themselves.
Lucifer, on the other hand, is a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) functionalities. It showcases not only mining capabilities but also command and control operations, propagation through vulnerabilities, and sophisticated DDoS attacks.
RudeMiner, connected to Lucifer, carries a legacy of DDoS attacks from previous campaigns. Its presence in the ongoing threat landscape signifies its persistence and adaptability.
The BillGates/Setag backdoor, previously associated with Confluence Server vulnerabilities, has resurfaced in this context. It has multifaceted capabilities that encompass system hijacking, C2 communication, and diverse attack methods.
Despite the availability of security patches from Adobe, the continuous exploitation of these vulnerabilities highlights the urgency for users to take action. It is strongly advised that users upgrade their systems promptly and deploy protection mechanisms, such as antivirus services, IPS signatures, web filtering, and IP reputation tracking, to mitigate ongoing attacks.
In related news, Adobe recently reset user passwords as a precaution against data breach risks. This action was taken to ensure the security of user accounts. Additionally, Apple mistakenly approved malware disguised as Adobe Flash Player, highlighting the importance of vigilance when it comes to software updates. Fake Adobe updates have also been found to install cryptomining malware while updating Flash, further emphasizing the need for caution and verification when downloading software updates.
As the attack campaign targeting Adobe ColdFusion 2021 continues, it is crucial for users to stay vigilant and take the necessary steps to protect their systems from exploitation.