Chinese hackers exploited a recently patched critical ColdFusion vulnerability

  • The flaw, which is a critical unrestricted file upload vulnerability, was patched in September.
  • Security researchers observed a Chinese APT exploiting a flaw to upload the JSP version of China Chopper.

China-linked hackers have been spotted exploiting a critical vulnerability in Adobe ColdFusion. The flaw, which is a critical unrestricted file upload vulnerability, was patched in September. The vulnerability, CVE-2018-15961, could allow attackers to conduct arbitrary code-execution attacks.

According to security experts at Volexity, who discovered the attacks, a Chinese APT was able to directly attack a vulnerable ColdFusion server by uploading a China Chopper webshell. Volexity researchers said that the targeted server was missing just one update, which Adobe released in September. The flaw impacts all version of ColdFusion released over the last four years.

“Adobe’s ColdFusion web application development platform has historically been a major target of APT groups looking to compromise networks running it. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor,” Volexity researchers said in a report.

“The attackers we observed uploaded a China Chopper webshell to the compromised server which allowed them to easily execute commands as if they had direct command line access,” Matthew Meltzer, a security researcher atVolexity told Threatpost. “In the instance we observed the attackers performed reconnaissance commands, examining the system and network.”

According to Meltzer, Volexity was able to stem the attack. However, the researchers believe if the cybercriminals’ had managed to maintain access to the vulnerable server, they likely would have escalated privileges, stolen credentials, and more.

The researchers also discovered that several other ColdFusion servers that were accessible via the internet were also targeted to compromised numerous systems. These targeted servers belonged to organizations such as state governments, educational institutions, health research centers, humanitarian aid organizations, and others.

“Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced. Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances,” the researchers added. “However, based on the placement of the files on the affected servers, Volexity believes that a non-APT actor may have identified this vulnerability prior to September 11, 2018.”