State hackers attack Adobe ColdFusion servers without a patch

A group of state hackers, also called an APT Group, actively attacks Adobe ColdFusion servers. In addition, it provides backdoors for future attacks, according to Volexity investigators versus ZDNet.

The attacks have been taking place since the end of September and focus on ColdFusion servers that did not receive the security updates of September 11th. The hackers seem to have studied the September patches and figured out how to abuse CVE-2018-15961.

This vulnerability allows the APT Group to upload a version of the China Chopper backdoor to the vulnerable servers and take over the entire system. The main problem behind the vulnerability is that Adobe has replaced the technology behind the ColdFusion WYSIWYG editor of FCKEditor with that of CKEditor. CKEditor is a new and improved version of FCKEditor.

Vulnerability

But when Adobe installed the new version in the system, it accidentally opened an unauthorized file upload vulnerability that it had patched on FCKEditor integration in 2009. In the first integration of CKEditor there was a weaker blacklist for uploading files, allowing users to upload JSP files to the server. ColdFusion can run JSP files by itself, which creates a dangerous situation.

The attackers discovered that the .jsp extension had been omitted and abused it. Adobe found out about his mistake and blacklisted the JSP files in the September patch. The hackers saw that too, who started scanning for servers without the patch two weeks later. They then uploaded a JSP version of the China Chopper backdoor to exploit and take over servers.

What exactly the hackers want to do with the servers is unknown. However, they are probably used to host malware and send spear-phishing campaigns.

Volexity advises owners of ColdFusion servers to use the automatic server update feature to make sure their servers receive and install updates as soon as they are available.