Fortinet has observed significant threat exploitation targeting Adobe ColdFusion, a web development computing platform.
This is despite a series of security updates (APSB23-40, APSB23-41, and APSB23-47) released by Adobe in July following reports of several critical vulnerabilities in its platform.
Since those updates, however, Fortinet’s FortiGuard Labs IPS telemetry data has continued to detect numerous efforts to exploit one of these vulnerabilities, the deserialization of untrusted data by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion.
This vulnerability is critical because it poses a significant risk of arbitrary code execution.
The observed attacks include probing, using an interactsh tool that can generate specific domain names to help researchers test whether an exploit is successful but can also be used by attackers, and establishing reverse shells, often called remote shells or connect-back shells, to attempt to exploit vulnerabilities within a target system by initiating a shell session, thereby enabling access to the victim’s computer.
In the report, FortiGuard Labs has identified four malware variants used by attackers trying to exploit ColdFusion’s deserialization vulnerability:
- XMRig Miner, which leverages computer processing cycles to mine for the Monero cryptocurrency
- Satan DDoS/Lucifer, a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) functionalities
- RudeMiner/SpreadMiner, with similar functionalities as Lucifer
- BillGates/Setag, a backdoor known for hijacking systems, communicating with command and control servers and initiating attacks
“Although the patches for these vulnerabilities have already been released, public attacks are still occurring. We strongly urge users to upgrade affected systems immediately and apply FortiGuard protection to avoid threat probing,” FortiGuard Labs warned.