Vulnerabilities / Threats
01:19 PM

ColdFusion Hacks Point To Unpatched Systems

Several highly publicized hacks have been traced to unpatched ColdFusion vulnerabilities, collectively leading to one million records being stolen.

What do breaches involving the Department of Energy, Washington state's court system and the popular limo service CorporateCarOneline have in common? All were apparently running servers that sported outdated or unpatched versions of the ColdFusion application server software sold by Adobe. In addition, in at least two of the cases -- and possibly all three -- hackers exploited ColdFusion to access and steal sensitive data stored on the servers.

"ColdFusion-induced breaches are definitely on the rise, which teaches us that hackers and security researchers are looking into this platform more and more as a green field for hacking endeavors," said Barry Shteiman, director of security strategy at Web application firewall vendor Imperva, in a blog post. To date, furthermore, they've enjoyed great success at tapping "auxiliary functionality that is supposed to be used indirectly only by an administrator of the specific system, but in fact can be used by a hacker," he said.

Perhaps that's because hacking outdated versions of ColdFusion is child's play. Earlier this year, for example, a module was published for the open source vulnerability framework Metasploit that automatically exploits what the module writer described as "a pile of vulnerabilities in ColdFusion APSB13-03," referring to a "hotfix" for ColdFusion 9.x and 10 released by Adobe in January. In particular, the exploit chains together an arbitrary command execution bug (that only works against ColdFusion 9.x), as well as directory traversal and authentication bypass bugs. The result of a successful exploit using this module is admin-level access to the targeted system, giving a would-be attacker backdoor access to the targeted ColdFusion system.

Shteiman placed the blame for those vulnerabilities squarely on Adobe, saying the Metasploit module "uses [an] administrative function that isn't properly hardened within the platform."

At the same time, however, how many of those businesses regularly patch their ColdFusion systems after Adobe released regularly security updates? Besides recommending rapid patching, Shteiman also noted that too many businesses fail to audit their applications, and thus don't know that they should be locking down ColdFusion servers in the first place. "Knowing the platforms that you have -- [and] the platforms that are used by third party companies/solutions that you work with -- is key in understanding your security posture," he said.

For added security, he also recommended using a Web application firewall -- which his company sells -- to add an extra layer of defense that can help identify and block attacks that might otherwise exploit vulnerable servers.

As the three breaches highlighted above show, failing to lock down ColdFusion can have devastating repercussions. For example, the attack against Washington state's Administrative Office of the Courts (AOC) servers, which was disclosed in May, resulted in attackers obtaining copies of up to 160,000 social security numbers and 1 million driver's license numbers.

Washington state officials have admitted that they could only narrow the timeline of the breach down to sometime between September 2012 and February 2013. That's when the state was tipped off to the breach by an east coast business that had likewise been exploited via a ColdFusion vulnerability, and which found signs pointing to the state's AOC servers.

At the Department of Energy, meanwhile, an ongoing investigation into a July 2013 ColdFusion hack has found that records relating to at least 100,000 past and current federal employees, including dependents and contractors -- including their name, social security number, and date of birth -- were stolen by attackers. That count of breach victims may well continue to climb.

Finally, the breach of CorporateCarOneline hasn't been definitely tied to ColdFusion. But security reporter Brian Krebs reported that the business's site did sport a known ColdFusion vulnerability, meaning that would-be attackers had at least one way in. In that case, the breach resulted in the theft of "more than 850,000 credit card numbers, expiry dates and associated names and addresses," reported Krebs. Some 241,000 of those were tied to high-limit or no-limit credit card accounts that would fetch a tidy sum via cybercrime marketplaces.

Identity theft is of course a concern for people whose information was stolen in those three breaches. But in the case of CorporateCarOneline, at least, the hackers behind that breach appear to have employed the stolen data to fashion targeted attacks against some of the limousine and town car service's customers, which included not just numerous high-profile personalities, including basketball player LeBron James, actor Tom Hanks, but also Fortune 500 CEOs and top lawmakers, including House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.).

In the stash of stolen data, notably, Krebs found customer records for Kevin Mandia, the chief executive of information security firm Mandiant, which earlier this year blamed an ongoing series of advanced persistent threat attacks on a China-based gang it dubbed APT1.

Mandia said the attack was disguised as a legitimate communication from an unnamed limo company. "I've been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that's awesome," Mandia said last month, reported Foreign Policy.

But it wasn't until Mandia was invoiced for a day that he hadn't used the service that he suspected that the PDF invoices were fakes. "I forwarded them to our security service, and they said, 'Yup, that's got a [malicious] payload," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.