Ref# AL2021_29 | Date: Sep 24th 2021

---

Attackers have used an old Windows ColdFusion server to spread Cring Ransomware. Sophos researchers have revealed that an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely, then to execute the ransomware on the server, and against other machines on the targets network.

Summary

The server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft end-of-lifed in January, 2020. Adobe declared end-of-life for ColdFusion 9 in 2016. As a result, neither the operating system nor the ColdFusion software could be patched.

Despite the age of the software and the server, the attacker used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by deleting logs and other artifacts that could be used in an investigation, off. The attackers breached the internet-facing server in minutes and executed the ransomware 79 hours later.

How It Works

It was found that the attackers were using an internet address assigned to Ukrainian ISP Green Floid, they began scanning the targets website using an automated tool to try to browse to more than 9000 paths on the targets website in just 76 seconds. The scans revealed that the web server was hosting valid files and URI paths specific to ColdFusion installations, such as /admin.cfm, /login.cfm, and /CFIDE/Administrator/.

The attackers then took advantage of CVE-2010-2861, a set of directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier that could be used by remote attackers to read arbitrary files, such as those containing administrator password hashes (“password.properties”).

In the next stage, the attacker is believed to have exploited another vulnerability in ColdFusion, CVE-2009-3960, which permits a remote attacker to inject data through an abuse of ColdFusions XML handling not to mention disarm security products by capitalizing on the fact that tamper-protection functionalities were turned protocols.This allowed them to upload a malicious Cascading Stylesheet (CSS) file to the server, consequently using it to load a Cobalt Strike Beacon executable. This binary, then, acted as a channel for the remote attackers to drop additional payloads, create a user account with admin privileges, and even disable endpoint protection systems and anti-malware engines like Windows Defender, before commencing the encryption process.

Remediation

The following best practices are recommended to help defend against Cring and other types of ransomware and related cyberattacks:

• Deploy Antivirus Protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important to keep attackers out or detect them before they can cause harm. Always ensure that you have a reputable antivirus software installed on your systems.
• Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers.
• Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment.
• Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used.
• Use Multi Factor Authentication (MFA). Strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources.
• Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN.
• Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline.
• Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: ColdFusion Bug Exploited by Cring Ransomware Gang.pdf

References

Lakshmanan, Ravie. (2021, September 21). Cring Ransomware Gang Exploits 11- Year-Old ColdFusion Bug. Retrieved from The Hackers News:
https://thehackernews.com/2021/09/cring-ransomware-gang-exploits-11- year.html

Brandt, Andrew. (2021, September 21). Cring ransomware group exploits ancient ColdFusion server. Retrieved from Sophos News:
https://news.sophos.com/en- us/2021/09/21/cring-ransomware-group-expl oits-ancient-coldfusion-server/