Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments. The observed activity dates back to January 2023 and has not been tied back to a specific CVE at this time. IOCs are included below.
Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. We have also observed the compromised website, ooshirts[.]com, being used in other attacks dating back to March 2022.
Attacker Behavior
The earliest time frame of compromise identified thus far occurred in early January 2023. Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. Process start data indicates that ColdFusion 2018 is spawning malicious commands.
Example base64 encoded command executed by malicious actor through ColdFusion:
Decoded:
Rapid7 Customers
In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers:
Webshell - Possible ColdFusion Webshell In Command Line
This detection identifies common ColdFusion tags being passed in the command line. This technique is used by malicious actors when redirecting strings into files when creating webshells.
Attacker Technique - CertUtil With URLCache Flag
This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.
Indicators of Compromise
This technique has been observed by malicious actors redirecting strings into files while creating webshells. Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags:
&l ..Support the originator by clicking the read the rest link below.
