Response to CISA Advisory (AA23-339A): Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers

AttackIQ has released two new attack graphs and one new scenario in response to the recently published CISA Advisory (AA23-339A) that disseminates Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with the exploitation of CVE-2023-26360 at a Federal Civilian Executive Branch (FCEB). These attack graphs are based on two separate incidents that compromised at least two public-facing servers at a FCEB between June and July 2023. Read More

On December 5, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.

In both incidents, Microsoft Defender for Endpoint (MDE) alerted the agency of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Additionally, various commands were initiated by the adversary on the compromised web servers. The exploited vulnerability allowed the threat actors to drop malware using HTTP POST requests to the directory path associated with ColdFusion.

This vulnerability presents an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier), 2021 Update 5 (and earlier), ColdFusion 2016, and ColdFusion 11 installations. Exploitation of this CVE can result in arbitrary code execution.

AttackIQ has released two new attack graphs and a new scenario that emulate the observed activities associated with the exploitation of a vulnerability impacting Adobe ColdFusion by an unidentified adversary with the aim of helping customers validate their security controls and ability to defend against this recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new pieces of content in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against behaviors observed during two incidents that affected public-facing servers by abusing the same known vulnerability.
  • Assess their security posture against a threat capable of adapting its capabilities to carry out reconnaissance activities.
  • Continuously validate detection and prevention pipelines against other affiliates who will likely leverage similar techniques in their own intrusions.

[CISA AA23-339A] Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers (Victim #1)

Click for Larger

This attack graph is based on an incident that took place as early as June 26, 2023, where adversaries obtained an initial foothold on a public-facing web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360.

Click for Larger

This emulation begins with the profiling of the compromised environment, during which the adversary will seek to collect relevant system information. During this stage, the adversary obtains information about the compromised system, running processes, installed software, files and directories of interest, and internet connectivity.

Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location.

Internet Connection Discovery (T1016.001): The actors used ping to Google’s 8.8.8.8 DNS server to verify if they could connect to the internet.

System Information Discovery (T1082): The native systeminfo and the Windows API function NetWkstaGetInfo are executed to retrieve all of the Windows system information.

Software Discovery (T1518): A registry key containing entries for all the software installed on the victim asset. Reg.exe is used to access HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Click for Larger

In the last stage, which begins with the successful deobfuscation of the payload through Certutil, the adversary will seek to learn more about the victim environment with the goal to identify additional hosts that ca hosts that can be targeted for lateral movement.

Deobfuscate/Decode Files or Information (T1140): Use the legitimate certutil binary to decode a base64 encoded payload.

System Network Connections Discovery (T1049): The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.

Remote System Discovery (T1018): Nmap is used to scan the local network searching for any remotely accessible systems.

[CISA AA23-339A] Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers (Victim #2)

Click for Larger

This attack graph is based on an incident that took place as early as June 2, 2023, where adversaries obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 through exploitation of CVE-2023-26360.

Click for Larger

This emulation begins with the collection of information related to the compromised environment. During this stage, the adversary will seek to identify domain trusts, local and domain accounts, network configuration, and query user information.

Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.

Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in finding out the memberships of privileged local groups like Remote Desktop Users and Local Administrators. They accomplish this by executing net localgroup lookups.

Account Discovery: Local Account (T1087.001): A list of local accounts configured on this host is collected by executing the net user command. Knowing what other accounts are present on the host will allow the actor to potentially re-use previously known credentials or identify disabled legitimate accounts they can re-enable to blend in with everyday activity.

Account Discovery: Domain Account (T1087.002): The system command net group is used to list Domain and Enterprise Admins accounts.

System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.

System Owner / User Discovery (T1033): Live off the land by running whoami and query user to gain details about the currently available accounts and permission groups.

Click for Larger

In the second and last stage of the attack, the adversary attempts to harvest credentials from the compromised system. Initially, the adversary will seek to deobfuscate the used payload through Certutil and proceed with the verification of Internet connectivity.

Once this has been achieved, the adversary will attempt to dump the SAM database and the LSASS process which contain password hashes that can be cracked offline or used in Pass-the-Hash attacks.

OS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is executed to dump the Windows SAM hive.

OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass process.

Opportunities to Expand Emulation Capabilities:

In addition to the newly released Assessment Templates, the following scenarios can be used to expand the capabilities of emulations, specifically in Domain Controllers:

  1. List and Create SYSVOL GPOs Script: This scenario involves listing all available Group Policy Objects (GPOs) in a domain and creating a new GPO. It is designed to simulate the actions of an attacker who gains access to a Domain Controller and attempts to manipulate GPO settings. This scenario is crucial for testing the ability of security controls to detect and prevent unauthorized access and modifications to GPOs within a network environment.
  2. Dump Active Directory Database using Volume Shadow Copy via esentutl.exe: This scenario will attempt to copy the locked NTDS.dit file by creating a Volume Shadow Copy (VSC) using esentutl.exe. Since NTDS.dit is encrypted with the Windows Boot Key, the scenario will dump the SYSTEM registry hive using reg.exe to retrieve the key needed to decrypt the file.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1.Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. OS Credential Dumping: LSASS Memory (T1003.001) and OS Credential Dumping: Security Account Manager (T1003.002):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process, or from the Security Account Manager (SAM) database.

2a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

Search for executions of reg.exe attempting to save the SAM registry hive.

Process Name == (reg.exe)
Command Line CONTAINS (‘reg save hklm\sam C:\WINDOWS\TEMP\sam’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, these new pieces of content will evaluate security and incident response processes and support the improvement of your security control posture against the activities associated with the exploitation of this vulnerability. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.