Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Ransomware Patch or Perish: Attackers Exploit ColdFusion

Cring Ransomware Unleashed After Attackers Exploit Unpatched Flaw From 2009
Ransomware Patch or Perish: Attackers Exploit ColdFusion
Ransom note left by attackers wielding Cring ransomware (Source: Sophos)

For battling ransomware, experts advise security teams to keep current on how attackers have been hacking their latest victims. In particular, they need to learn from attacks that target other organizations in their sector, and apply this knowledge to ensure they have the right defenses in place to avoid becoming an attacker's next victim.

See Also: 5 Requirements for Modern DLP

At the same time, they also need a decent level of basic preparedness. For example, witness how one technology services firm recently saw its systems get crypto-locked with ransomware.

How did attackers break in? Called in to investigate, security firm Sophos found that attackers exploited two publicly known flaws - CVE-2010-2861 and then CVE-2009-3960 - in the victim's 11-year-old installation of Adobe ColdFusion 9, which is a no-longer-supported web-application development platform.

The first flaw is a directory transversal vulnerability, while the second allows for XML injection. The open-source Metasploit penetration-testing framework added exploits for the former in 2011 and the latter in 2010, meaning that exploiting these flaws would have been easy for an attacker with even average skills. Likewise, the flaws would in theory have been easy to spot by a penetration testing team, if the victim had hired one and then acted on its findings.

"The server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft end-of-lifed in January 2020," reports Andrew Brandt, a principal researcher at Sophos. "Adobe declared end-of-life for ColdFusion 9 in 2016. As a result, neither the operating system nor the ColdFusion software could be patched."

Whether attackers went looking for organizations running exploitable ColdFusion software - as in, anyone still running ColdFusion - isn't clear. "We can't speculate as to the attackers' intentions, but as their scan included a lot of paths for other software, we assume that the discovery of the ColdFusion server was incidental to the scans that were performed, although we can't be certain," Brandt tells me.

"The exploit for this particular flaw is a Metasploit module, and the attackers may have used this module, or a similar one, to conduct the break-in," he says. "The incident serves as a stark reminder that IT administrators cannot leave out-of-date critical business systems facing the public internet."

Cring: One of Many Ransomware Operations

If Cring doesn't ring a bell, that's because - among the perhaps dozens of ransomware groups in operation - it's not very well known.

"The Sophos Rapid Response team has investigated one Cring ransomware incident, and the only other investigation we're aware of was reported on earlier this year by Kaspersky and involved a completely different method of breaking in, with one common element being that the attackers targeted very out-of-date, vulnerable internet-facing software each time," Brandt says.

In April, Kaspersky reported that "in early 2021, threat actors conducted a series of attacks on industrial enterprises in Europe."

Called in to investigate the outbreak at one of those firms, it found that the attackers had exploited a credential disclosure vulnerability - CVE-2018-13379 - in FortiOS to exploit the organization's Fortigate VPN. The vulnerability came to light in 2019 and was soon patched. Again, there's a free Metasploit exploit for the flaw.

Essential Defenses

For years, law enforcement officials and security experts have been urging businesses to better prepare, and have good defenses in place, to lessen the chance that they might consider having to pay a ransom to recover their data.

Too many organizations, however, are still failing to do the basics, including:

  • Using multifactor authentication wherever possible;
  • Locking down remote access, especially for administrator accounts;
  • Segmenting networks to blunt the impact of an attacker gaining access to one system and traversing to others;
  • Knowing all software being used and ensuring it remains updated;
  • Installing the latest security patches.

While that might sound basic, those were among the recommendations detailed in a joint cybersecurity advisory issued Wednesday by the U.S. government, specifically to combat a recent increase in the pace of attacks tied to Conti ransomware.

But the guidance applies to defending against any type of online attack. Furthermore, the fact that the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency see the need to remind organizations that unless they do the basics they'll be sitting ducks for ransomware demonstrates that too many of them are continuing to fail to heed such advice.

Cybercrime Remains a Business

Ransomware-wielding attackers want to hit as many victims as possible, in the least amount of time, using minimal effort and with maximum chance of reward. Failing to have proper security defenses in place only plays into criminals' strategy.

But as Europol's Philipp Amann, head of strategy for its European Cybercrime Center, said in an interview earlier this year, even small security improvements can make a big difference. Attackers wielding Emotet malware, for example, often cultivated lists of potential victims and then tried to brute-force their admin passwords.

If, however, they found that would-be victims had two-factor authentication or other "technical measures that make it more difficult to be successful, they'll move to other victims," he told me.

Specifically where ransomware is concerned, these types of minimum security defenses - including having a well-tested backup and restoration strategy, with backups stored offline - can make the difference between falling victim and having an attacker look elsewhere. The likes of a ColdFusion installation that is a decade out of date, however, really isn't going to cut it.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.