Security News > 2021 > September > Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug

Unidentified threat actors breached a server running an unpatched, 11-year-old version of Adobe's ColdFusion 9 software in minutes to remotely take over control and deploy file-encrypting Cring ransomware on the target's network 79 hours after the hack.

"Devices running vulnerable, outdated software are low-hanging-fruit for cyberattackers looking for an easy way into a target," Sophos principal researcher Andrew Brandt said.

The British security software firm said the "Rapid break-in" was made possible by exploiting an 11-year-old installation of Adobe ColdFusion 9 running on Windows Server 2008, both of which have reached end-of-life.

Upon gaining an initial foothold, the attackers used a wide range of sophisticated methods to conceal their files, inject code into memory, and cover their tracks by overwriting files with garbled data, not to mention disarm security products by capitalizing on the fact that tamper-protection functionalities were turned off.

Specially, the adversary took advantage of CVE-2010-2861, a set of directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier that could be abused by remote attackers to read arbitrary files, such as those containing administrator password hashes.

In the next stage, the bad actor is believed to have exploited another vulnerability in ColdFusion, CVE-2009-3960, to upload a malicious Cascading Stylesheet file to the server, consequently using it to load a Cobalt Strike Beacon executable.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/USuDSvrWDUo/cring-ransomware-gang-exploits-11-year.html