An Adobe ColdFusion vulnerability, patched two months ago, was being exploited in the wild by a China-linked APT group, researchers found.
The vulnerability, CVE-2018-15961, is a critical unrestricted file upload bug that could also lead to arbitrary code-execution, researchers at Volexity, who discovered the exploitation, said on Thursday.
“Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists,” researchers said in a post. “In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. The target server was missing a single update from Adobe that had been released just two weeks earlier.”
Adobe issued a fix for the unauthenticated file upload vulnerability in September. The company did not respond to a request for further comment from Threatpost.
The flaws impact Adobe’s ColdFusion product, which is the company’s commercial web application development platform. Specifically impacted are ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). This effectively includes all versions of ColdFusion released over the last four years.
The flaw stems from a WYSIWYG rich text editor in modern versions of ColdFusion, CKEditor. While Adobe replaced the older WYSIWYG editor, FCKeditor, in previous versions of ColdFusion with CKEditor, “it appears … they inadvertently introduced an unauthenticated file upload vulnerability,” said researchers.
The Exploit
Researchers at Volexity first observed the exploited vulnerability two weeks after Adobe released its update.
“The attackers we observed uploaded a China Chopper webshell to the compromised server which allowed them to easily execute commands as if they had direct command line access,” Matthew Meltzer, security researcher at Volexity told Threatpost. “In the instance we observed the attackers performed reconnaissance commands, examining the system and network.”
The vulnerability can be easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication, they said.
The APT group, which researchers did not give a specific name for, was observed exploiting the flaw to upload the JSP version of China Chopper, a web shell widely used by Chinese hackers and APT groups to remotely access compromised Web servers.
From there, the group’s China Chopper executed commands on the impacted web server before being cut off.
“We were able to quickly detect and cut off this group from the compromised network, however if access had remained uninterrupted, we suspect they would have attempted to escalate privileges, obtain credentials that could be used across the network, and move laterally. This is typically what we have observed in past compromises by other advanced threat groups,” said Meltzer.
After this initial discovery, researchers found that numerous other ColdFusion webservers also appear to have been compromised – belonging to a variety of organizations, such as educational institutions, state government, health research, humanitarian aid organizations, and more.
“Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced,” the researchers said. “Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances. However, based on the placement of the files on the affected servers, Volexity believes that a non-APT actor may have identified this vulnerability prior to September 11, 2018.”
Researchers urged Adobe ColdFusion users to update- and in the meantime, to examine their log files and directories for anything that looks suspicious.
“Volexity recommends organizations identify any instances of Adobe ColdFusion currently in use, and verify the current version running,” they said. “It is highly recommended that any vulnerable instances be patched to the latest version immediately.”