Security Market Segment LS
Wednesday, 22 September 2021 11:02

Attackers use old Windows ColdFusion server to spread Cring ransomware Featured

Attackers use old Windows ColdFusion server to spread Cring ransomware Pixabay

Old sometimes is not gold, especially when it comes to ancient versions of ColdFusion running on versions of Windows that have reached their end-of-life, as the global security firm Sophos has demonstrated through its research into a server that was taken over by unknown actors using the Cring ransomware.

Andrew Brandt, principal researcher at SophosLabs, said the recent findings — no time element was given — had shown that Adobe ColdFusion 9 — which is 11 years old — and Windows Server 2008 — which was declared end-of-life for the Web-application development platform in 2016 — were running on the server that served as an entry point. Sophos has since clarified that the findings were made in August this year.

Several other machines were also hit with the same ransomware and made inaccessible, but the box running ColdFusion was partially recoverable and artefacts from this machine were used in the research.

Brandt said the attackers had entered from an IP address allocated to the Ukrainian ISP Green Floid and begun a scan. After ascertaining that an old version of ColdFusion was present, the attackers had then used a directory traversal vulnerability [CVE-2010-2861] to extract the file from the server.

Next, it appears that another flaw, CVE-2009-3960, was used to inject a file using the HTTP POST method. Brandt theorised that this file could have been Web shell code designed to pass parameters directly to the Windows command shell. It was recovered from the server inside a Cascading Stylesheet file.

About two-and-half days later, the attackers returned before midnight on the weekend and dropped a number of files on the server, before creating a scheduled task that used the Windows Script Host to execute files based on a set of parameters.

A second Web shell was then placed in a second ColdFusion directory and used to export a number of Registry hives which could be used to harvest data at leisure.

cring ransom sophos

The ransom note issued by the Cring ransomware. Courtesy Sophis

About five hours after this was completed, the attackers used the Windows Management Instrumentation command-line utility to invoke PowerShell and download files from a server whose IP geolocates to Belarus. They also created a user account with admin privileges.

The next step in the attack was to run commands that profiled the system, obtain DomainAdmin privileges and then explore other servers using those credentials. The attackers also dropped
the Cobalt Strike beacon on other machines.

These actions were blocked by HitmanPro, a portable anti-malware program, whereupon the attackers started targeting Sophos endpoint protection which was blocking the effort to load the beacon.

But the attackers then used the Web shell they had loaded to disable both the Sophos endpoint protection and Windows Defender. Several VMs were then detected on the server and these were shut down.

The ransomware was spread as a last action. "Finally, at about 79 hours after the initial breach of the ColdFusion server, the attacker delivered a ransomware executable named msp.exe, encrypting the system and the folders containing the virtual machine disk images," said Brandt.

"The attackers deleted the Volume Shadow Copies, cleared the Event Logs afterward, re-enabled the Sophos security products they had previously disabled."

Brandt also credited senior rapid response analyst Vikas Singh and analysts Shefali Gupta, Krisztián Diriczi, and Chaitanya Ghorpade for their roles in the research.

"Devices running vulnerable, outdated software are low-hanging-fruit for cyber attackers looking for an easy way into a target," said Brandt. "Cring ransomware isn't new, but it's uncommon.

"In the incident we researched, the target was a services company, and all it took to break in was one Internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.

"But, regardless of what the status is – in use or inactive – unpatched Internet-facing servers or other devices are prime targets for cyber attackers scanning a company's attack surface for vulnerable entry points.

"This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organisations have these devices anywhere on their network, they can be sure that cyber attackers will be attracted to them. Don't make life easy for cyber criminals."

Update, 23 September: Brandt's blog post said: "Despite the age of the software and the server, the attacker used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by deleting logs and other artifacts that could be used in an investigation."

Asked how the two were connected — the age of the software/server and the techniques used — a Sophos spokesperson responded: "The software age thing is weird. So, they used exploits that are fairly old at this point. The exploits are old because the software is very old.

"But the techniques the attackers used to cover their tracks, and their use of modern fileless infection techniques, is relatively recent in development. The juxtaposition of the old and new is what was most intriguing here, mainly because it was so unusual to see such old exploits in use.

"But once we realised the age of the software we were dealing with, it made more sense. And since this threat actor seems to have a history of going after old, vulnerable software, the pieces start to fit together."

Subscribe to ITWIRE UPDATE Newsletter here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News