Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

ColdFusion Admin Compromise Analysis (CVE-2010-2861)

In a previous blog post, I provided "Method of Entry" analysis for a ColdFusion compromise baed on sanitized data from a SpiderLabs IR/Forensics team investigation which resulted in the attacker's installing a malicious IIS module that captured customer credit card data. In this blog post, we will analyze another ColdFusion compromise that again resulted in customer credit card data being stolen, however the initial vulnerability and exfiltration methods differed.

Thanks to my SpiderLabs colleagues Jon Spruill, Grayson Lenik and Ryan Jones (IR/Forensics), Ryan Linn (Pentest) and Chris Woodbury (Research - Vulnerability Analysis Team), for assistance with this blog post.

Step 1: Access Password Hashes (CVE-2010-2861)

The vulnerability exploited in this attack was CVE-2010-2861.

10038_78112f2e-3e3b-425b-b047-0cea39a4f555

Here is sanitized snippet from the IIS web server log file when the attacker sent the directory traversal attack data in the "locale" parameter of the "enter.cfm" page:

8972_444092a1-f020-4728-ad78-fed0f184126a

The attacker is attempting to access the ColdFusion "password.properties" file. The result of this attack would present the attacker with data similar to the following example in the HTML response HTML:

8359_24d87f5e-e8b0-4b4b-9c2a-5be3249a818c

Notice that the HTML page now contains the password hash data from the password.properties file. This data can now directly be used by the attacker. They do not even need to attempt to do hash cracking as it is possible to simply submit the hash value in the password field of the form and ColdFusion will authenticate the user with it.

Step 2: Login with CFADMIN Password Hash

Here are two log snippets showing the attacker successfully logging in with the obtained hash value:

9663_65c928d1-0778-4b73-a2b9-182fe4c36d79

After successful authentication, the attacker received a 302 redirect to the index.cfm page.

Step 3: Create a New Scheduled Task

Once the attacker was logged into ColdFusion as an admin, they immediately went to the Schedule Task page.

10888_9e6e36d4-4890-4a68-9f34-8a72e06238e2

This is what the Schedule Tasks web page looks like:

11974_d2c1def4-b1c3-471e-aa8f-01124005bdb4

The attacker then click on the "Schedule New Task" button:

9285_5236ef8a-92ad-4ce9-9a3b-ae23cafc4b83

This presented them with a screen similar to the following:

11201_ade54f8a-c70f-48b4-83e3-8c3c42274382

The attacker then edited the Scheduled Task form to instruct ColdFusion to download a backdoor/webshell called "a.cfm" from a remote URL location.

7840_0ae4d4af-10e8-40e9-86c9-cda5a34bbc93

Step 4: Execute the Task and Download Backdoor/Webshell

The attacker then immediately sends a request to execute the new task to download the webshell file:

9702_67897abb-a235-4085-a162-6287c448869b

The attacker then cleans up by removing the scheduled task:

8752_37ff1575-7570-41b8-b97e-badd138dc5f6

Step 5: Access "a.cfm" Backdoor/Webshell

The attacker then used their web browser to access the "a.cfm" backdoor/webshell page.

12557_ee966e09-6b87-4ec2-9cc0-6e610c6809fd

The webshell looked similar to the following screen shot:

10496_8c70704d-c24e-4a11-ac05-201e9fc22c52

Step 6: Review Application's "Checkout" Process

The attacker then proceeded to review/test out the multi-step checkout process of the site when customers are purchasing items.

BSL_10719_965dd6e0-ebd6-46a6-a705-551a430349d5

After running through this process, the attacker identified that the final page that receives the customer's credit card data is "Checkout_Step_4".

Step 7: Edit Checkout_Step_4 to Capture Credit Card Data

The attacker then used the a.cfm webshell to edit the Checkout_Step_4 file:

9131_4b254559-b209-4707-b915-aa93cb967874

The bolded/highlighted code below is what the attacker added to this page:

9568_60b0b636-6160-4a99-a2c8-d4e9d8c59406

Notice that this CF code is taking the customer data and then appending it to a file called "noties.txt". This file is located in the website's document root so that the attacker can access it for exfiltration purposes. After editing this file, the attacker then uses the a.cfm webshell page to save the new changes:

11290_b1cb0ce7-8326-41ac-9f14-0bd766f2e688

Step 8: Periodically Access Noties.txt and Profit

With this credit card data snarfing CF code in place, the attacker can then periodically access the "noties.txt" page and exfiltrate the data:

12610_f0b1847e-236d-4a5d-a0cc-a77fe04d1502

ColdFusion Botnet Connection?

Brian Krebs, an independent security investigative reporter, recently outlined compromises at two organizations that appeared to be the result of a ColdFusion Botnet campaign. In his report, he outlined how two companies were compromised by vulnerabilities in ColdFusion. Here is a snippet of one of the breach notification pages:

8138_1997678a-d156-47bc-b8c7-5bbc303d0e18

Sounds familiar right? We do not have any specific confirmation as to how these companies were compromised or the exact code implemented by the attackers in those incidents, however the attack vectors are strikingly similar.

Conclusions

Attacker Trend: Accessing Credit Card Data In-Transit

As organizations are making improvements to their sensitive data storage practices, criminals are responding by utilizing methods that may access credit card data in-transitincluding:

  • POS Malware - that scrapes in-memory data before it is sent across the network encrypted.
  • Network Sniffing Malware - that captures data traversing internal network access points in non-encrypted form (no-SSL).
  • Time of Purchase Malware - as in this example where attackers add malicious code directly to web applications to grab customer data as it is submitted to the web application with their browsers.

Keep 3rd Party Apps Up-to-Date

The first glaring issue identified here was that this site was popped by a vulnerability that was from 2010. Organizations have many "Time-to-Fix" challenges but 3+ years is not going to cut it. There must be processes in place to manage/update versions of software especially when vulnerabilities are released. There are many publicly available tools that actively look for this specific vuln such as cfide-autopwn. Trustwave offers PCI scanning services that can check for these types of vulnerabiities.

Web Application Firewall (WAF) Protections

In addition to code update processes, organizations should also deploy WAFs to help identify active attacks. Trustwave WAFs can identify and block the example attack we outline here in the blog.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More