20231208002 - Adobe ColdFusion Exploitation CISA Advisory (#434)

* 20231122001 - Juniper * 20231122002 - GNU C LIbrary + typo correction * 20231123002 + Table template * 20231129001 * 20231204002 - CyberAv3ngers * 20231206001 + template update * 20231206001 typo correction * Tempalte link removal * 20231208001 + Template for OT Advisories * File Rename * 20231208002 - Adobe ColdFusion Exploitation - CISA Advisory
wagov · Dec 8, 2023 · bde1503 · bde1503
1 parent afc5b6a
commit bde1503
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/...sories/20231208002-Adobe-ColdFusion-Exploitation-CISA-CyberSecurity-Advisory.md b/...sories/20231208002-Adobe-ColdFusion-Exploitation-CISA-CyberSecurity-Advisory.md
@@ -0,0 +1,25 @@
+# CISA Publish Joint Advisory on Cyber Actors Exploiting Adobe ColdFusion - 20231208002
+
+## Overview
+
+Since the publication of [Advisory #20231206002](https://soc.cyber.wa.gov.au/advisories/20231206002-Known-Exploited-Vulnerability-Adobe-ColdFusion/), CISA have released a joint Cybersecurity Advisory (CSA) [Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a) in response to the **active exploitation** of Adobe ColdFusion versions. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
+
+This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations.
+
+
+## Background and Technical Details
+
+In June 2023, through the exploitation of [**CVE-2023-26360**](https://www.cve.org/CVERecord?id=CVE-2023-26360), threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs.
+
+Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
+
+
+
+## Recommendations
+
+The WA SOC encourages administrators to review this guidance and implement its mitigations and recommendations. Additionally, it is highly recommended to review the noted Incident details for additional TTPs used for context and reference when performing investigation.
+
+
+## References
+
+- [**Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers**](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a)