What a failed attack against ColdFusion revealed about ransomware tools and tactics

A recent attack levied against servers running out-of-date Adobe software sheds some light on how threat actors are currently trying to exploit systems and deploy ransomware. In this recent attack, which took place in September and early October, the threat actors hoped to gain access to Windows servers and, subsequently, deploy ransomware payloads. While the attack wasn’t successful, lessons must be learned here.

According to an analysis by Sophos researchers who uncovered the attack, the threat actor was trying to deploy ransomware created using leaked source code from the family of ransomware known as LockBit 3.0. This is a trend Sophos researchers noticed in other campaigns, as well. The attackers likely chose the LockBit 3.0 ransomware family because of its speed and effectiveness.

In this incident, the attacker didn’t implement new techniques but targeted old and unsupported ColdFusion version 11 software. As is often the case, these threat actors sought security holes created through unpatched software. That’s precisely what they found.

How attackers gained entry and tried to escalate access

While it’s known that the attack kicked off by exploiting a vulnerability in ColdFusion 11, because the network connection telemetry was not available, researchers could not identify the precise vulnerability exploited. As one might expect, they moved to dig deeper with several command-line instructions used to manage ColdFusion Server processes once they were on the server.

Threat actors frequently use this tactic to use command-line entries to gain further access to a system or to deploy malware.

Following the trail of telemetry left behind, the Sophos researchers found the attackers had left directory listings enabled on the web server hosting their repository of tools. This enabled the researchers to explore the materials. “Within it, we discovered all the artifacts the attacker had attempted to deploy in the customer environment—as well as the final ransomware payload that the attacker intended to deploy, also sourced from the repository,” the researchers noted.

According to Sophos, the ransomware variant carries a ransom note that credits “BlackDogs 2023” as the threat actor and appears to be a new family of ransomware with a possible link to the leaked Lockbit 3.0 source code. “This connection becomes apparent when examining the static executable file’s properties and the similarities in the unpacked code in memory.  It triggers the same in-memory protection as that source, Mem/Lockbit-B,” the researchers wrote.

Here’s the ransom note the researchers uncovered:

BlackDogs 2023 comming

Your data are stolen and encrypted

Please give me 205 Monero and we will give you the decryption program.

Our Monero address : [redacted]

The data will be published on TOR website if you do not pay the ransom

Your personal DECRYPTION ID: [redacted]

Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

Using Tox messenger, we will never know your real name, it means your privacy is guaranteed.

If you want to contact us, write in tox. [address redacted]

ColdFusion: An attacker’s favorite

With several vulnerabilities exploited over the past year, Adobe’s ColdFusion software remains a frequent target.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has regularly issued alerts about these vulnerabilities and notified organizations to patch their systems. Most recently, ColdFusion came under fire by a Known Exploited Vulnerability (CVE-2023-38205) affecting Adobe ColdFusion versions 2018u18, 2021u8, and 2023u2 and earlier. The vulnerabilities include “an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction,” according to this CVE entry.

This incident and these previous alerts reveal the importance of:

  • Maintaining up-to-date software and implementing strong cybersecurity controls. When using old software that is no longer supported, organizations set themselves up to be attacked and the victims of a successful attack. Attackers will always seek ways to exploit unpatched systems, and when they find one, they will see if they can take advantage of the situation.
  • Strong endpoint detection and response (EDR) systems. In this incident, the EDR detected and blocked the attack and prevented the ransomware from being deployed on the system. This serves as a reminder for organizations to use currently supported software, keep those systems up to date, and invest in security controls that will detect and mitigate attacks. For this, endpoint behavioral detection software can play a substantial role.

In conclusion, this failed attack against ColdFusion servers reveals a lot about the current state of ransomware. Threat actors continually refine their tactics and seek new vulnerabilities to exploit. However, with the right cybersecurity measures, organizations can effectively protect themselves against these threats.