A recently patched Adobe ColdFusion flaw is being exploited by an APT group linked to China.
According to security researchers at Volexity, the vulnerability, CVE-2018-15961, is a critical unrestricted file upload vulnerability that could also lead to arbitrary code-execution.
In a blog post, the researchers said that a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.
"The target server was missing a single update from Adobe that had been released just two weeks earlier," they said.
The flaw was fixed in September this year and Adobe issued security bulletin APSB18-33 which fixed a variety of issues to include an unauthenticated file upload vulnerability. This vulnerability was assigned CVE-2018-15961 and affects ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier) and ColdFusion 2018 (12 July release).
According to researchers, this effectively includes all versions of ColdFusion released over the past four years.
The vulnerability was found in ColdFusion’s WYSIWYG rich text editor CKEditor. Adobe previously used FCKeditor.
"It appears that when Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability," said researchers.
Researchers said that the vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication.
"Volexity observed the APT group exploit CVE-2018-15961 in order to upload the JSP version of China Chopper and execute commands on the impacted web server before being cut off," researchers said.
They noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called settings.cfm.
Following the identification of the exploit, researchers saw several ColdFusion webservers that were Internet accessible. They found that many of these systems appeared to be compromised.
"The webservers belonged to a variety of organisations, such as educational institutions, state government, health research, humanitarian aid organisations, and more. Each of the sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced," said researchers.
Some of the affected websites contained an HTML index file that purported to be from the hacktivist group "TYPICAL IDIOT SECURITY". This hacktivist group appears to be of Indonesian origin, with the member AnoaGhost also having ties to a pro-ISIS hacktivist group, said researchers.
Researchers said that if a ColdFusion server is Internet facing, it is worth examining the log files and directories for anything that looks out of place or suspicious.
"If suspect log entries or files are discovered, a more thorough analysis is likely warranted," said researchers, adding that organisations should apply patches as soon as they are available.
"A vigilant patch management process is necessary to protect against threats such as described above with CVE-2018-15961."