Adobe Patches Actively Exploited ColdFusion Zero-Day Flaw

Adobe Systems released an emergency update for the ColdFusion application server to fix a critical remote code execution that’s already being exploited by attackers.

The vulnerability, tracked as CVE-2019-7816, is located in the upload functionality and is described as an upload restriction bypass. Attackers can exploit the flaw to upload executable code to a web-accessible directory and then execute it via an HTTP request.

The flaw affects ColdFusion 11, 2016 and 2018 and successful exploitation results in arbitrary code execution with the privileges of the ColdFusion service.

In addition to patching the flaw, Adobe has made several changes that can help mitigate this issue. It introduced a new application setting called blockedExtForFileUpload, added a new server option called “Blocked file extensions for CFFile uploads” and added a new property called BlockedExtForFileUpload to the setRuntimeProperty Admin API that can take a comma-separated list of file extensions to block.

The company advises users to upgrade to ColdFusion 11 Update 18, ColdFusion 2016 Update 10 or ColdFusion 2018 Update 3 depending on which version they’re using.

ColdFusion is used in the enterprise sector because it allows the rapid development of applications using the CFML scripting language. However, its popularity with businesses and other organizations  has made it a target for attackers.

In November, researchers from Volexity detected attacks against ColdFusion servers that were exploiting a vulnerability patched only two months earlier and which didn’t have any technical details available publicly. The means ColdFusion is interesting enough to attackers to reverse engineer patches.

At the time, Volexity warned that attackers had compromised many internet-accessible web servers running ColdFusion that belonged to organizations from the education sector, as well as state/government, health research, humanitarian aid and more.

APT Groups Use Cobalt Strike to Compromise Point-of-Sale Systems

Researchers from Morphisec have detected a spike in attacks against point-of-sale (PoS) systems since the beginning of the year, many of which used the Cobalt Strike penetration testing framework to deliver memory-scraping malware.

“More specifically, on the 6th of February we identified an extremely high number of prevention events stopping Cobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon thin clients,” the researchers said in a new report this week.

The Cobalt Strike framework is used by penetration testers and red teams to simulate attacks against corporate networks, but has also been adopted by several sophisticated cybercriminal groups that focus on the financial sector.

Morphisec found certain indicators that suggest the latest attacks might be the work of a group know in the security industry as FIN6 and which has targeted PoS systems in the past. However, in previous attacks, FIN6 abused the Metasploit framework, another popular penetration testing tool, not Cobalt Strike, so this would represent a significant change in tactics.

“If successful, the Cobalt Strike beacon payload gives attackers full control over the infected system and the ability to move laterally to other systems, harvest user credentials, execute code and more, all while evading advanced EDR scanning techniques,” the researchers said.

The attacks observed by the company were distributed globally and affected organizations in the finance, insurance and healthcare sectors from the United States, Japan and India, but also other targets around the world.

After compromising a PoS thin client, attackers were seen deploying the FrameworkPOS memory scraping malware which steals credit card details as transactions are being processed by the specialized software running on the devices.

“These types of advanced attacks that utilize memory to evade detection solutions either by reflectively loading libraries, hollowing process memory or injecting code into new processes, are harder and harder to attribute due to the simple fact that more and more criminals are taking advantage of the strength of these evasion techniques and the weakness of runtime detection technologies to cope with such evasion,” Morphisec said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin