Hackers exploited out-of-support software to scan federal systems, CISA says

The nation's cyber defense agency is warning tech shops about two cybersecurity breaches targeting out-of-support versions of Adobe ColdFusion and reminding agencies to keep up with software updates.

The Dec. 5 bulletin from the Cybersecurity and Infrastructure Security Agency details two incidents dating back to June 2023 in which public-facing web servers were targeted using a known vulnerability in out-of-support versions of Adobe ColdFusion. The agency that was victimized by the exploits was not named. 

In one incident, CISA's analysts observed that hackers uploaded malware designed to abet "future malicious activity by the threat actors" including the siphoning of user credentials for further access. The infiltrators also created a "staging folder to support threat actors' malicious operations" The infiltrators also took steps to cover their tracks, the report said.

In the second incident, hackers were able to move laterally across a public-facing web server running an unsupported version of Adobe ColdFusion and attempted unsuccessfully to exfiltrate registry files containing account information on users. Additionally, the CISA analysts concluded that hackers were able to view information in a file that could support password decryption, but according to the report, "no malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords" using information contained in the compromised file.

According to the report, it's not known whether the same threat actors were responsible for both incidents.

Under CISA's standing binding operational directive from November 2021, "known exploited vulnerabilities should be the top priority for remediation." In the Dec. 5 advisory, CISA urged agencies to upgrade all software that is vulnerable to the exploit and to prioritize fixes to public-facing systems.