TechWeb

ColdFusion Hacks Point To Unpatched Systems

Nov 07, 2013 (08:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240163694


What do breaches involving the Department of Energy, Washington state's court system and the popular limo service CorporateCarOneline have in common? All were apparently running servers that sported outdated or unpatched versions of the ColdFusion application server software sold by Adobe. In addition, in at least two of the cases -- and possibly all three -- hackers exploited ColdFusion to access and steal sensitive data stored on the servers.

"ColdFusion-induced breaches are definitely on the rise, which teaches us that hackers and security researchers are looking into this platform more and more as a green field for hacking endeavors," said Barry Shteiman, director of security strategy at Web application firewall vendor Imperva, in a blog post. To date, furthermore, they've enjoyed great success at tapping "auxiliary functionality that is supposed to be used indirectly only by an administrator of the specific system, but in fact can be used by a hacker," he said.

Perhaps that's because hacking outdated versions of ColdFusion is child's play. Earlier this year, for example, a module was published for the open source vulnerability framework Metasploit that automatically exploits what the module writer described as "a pile of vulnerabilities in ColdFusion APSB13-03," referring to a "hotfix" for ColdFusion 9.x and 10 released by Adobe in January. In particular, the exploit chains together an arbitrary command execution bug (that only works against ColdFusion 9.x), as well as directory traversal and authentication bypass bugs. The result of a successful exploit using this module is admin-level access to the targeted system, giving a would-be attacker backdoor access to the targeted ColdFusion system.

Shteiman placed the blame for those vulnerabilities squarely on Adobe, saying the Metasploit module "uses [an] administrative function that isn't properly hardened within the platform."

At the same time, however, how many of those businesses regularly patch their ColdFusion systems after Adobe released regularly security updates? Besides recommending rapid patching, Shteiman also noted that too many businesses fail to audit their applications, and thus don't know that they should be locking down ColdFusion servers in the first place. "Knowing the platforms that you have -- [and] the platforms that are used by third party companies/solutions that you work with -- is key in understanding your security posture," he said.

For added security, he also recommended using a Web application firewall -- which his company sells -- to add an extra layer of defense that can help identify and block attacks that might otherwise exploit vulnerable servers.

As the three breaches highlighted above show, failing to lock down ColdFusion can have devastating repercussions. For example, the attack against Washington state's Administrative Office of the Courts (AOC) servers, which was disclosed in May, resulted in attackers obtaining copies of up to 160,000 social security numbers and 1 million driver's license numbers.

Washington state officials have admitted that they could only narrow the timeline of the breach down to sometime between September 2012 and February 2013. That's when the state was tipped off to the breach by an east coast business that had likewise been exploited via a ColdFusion vulnerability, and which found signs pointing to the state's AOC servers.

At the Department of Energy, meanwhile, an ongoing investigation into a July 2013 ColdFusion hack has found that records relating to at least 100,000 past and current federal employees, including dependents and contractors -- including their name, social security number, and date of birth -- were stolen by attackers. That count of breach victims may well continue to climb.

Finally, the breach of CorporateCarOneline hasn't been definitely tied to ColdFusion. But security reporter Brian Krebs reported that the business's site did sport a known ColdFusion vulnerability, meaning that would-be attackers had at least one way in. In that case, the breach resulted in the theft of "more than 850,000 credit card numbers, expiry dates and associated names and addresses," reported Krebs. Some 241,000 of those were tied to high-limit or no-limit credit card accounts that would fetch a tidy sum via cybercrime marketplaces.

Identity theft is of course a concern for people whose information was stolen in those three breaches. But in the case of CorporateCarOneline, at least, the hackers behind that breach appear to have employed the stolen data to fashion targeted attacks against some of the limousine and town car service's customers, which included not just numerous high-profile personalities, including basketball player LeBron James, actor Tom Hanks, but also Fortune 500 CEOs and top lawmakers, including House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.).

In the stash of stolen data, notably, Krebs found customer records for Kevin Mandia, the chief executive of information security firm Mandiant, which earlier this year blamed an ongoing series of advanced persistent threat attacks on a China-based gang it dubbed APT1.

Mandia said the attack was disguised as a legitimate communication from an unnamed limo company. "I've been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that's awesome," Mandia said last month, reported Foreign Policy.

But it wasn't until Mandia was invoiced for a day that he hadn't used the service that he suspected that the PDF invoices were fakes. "I forwarded them to our security service, and they said, 'Yup, that's got a [malicious] payload," he said.