Double Blow to US Federal Servers: CISA Requirements Ignored

CISA Reports Serious Attacks on US Federal Agency Servers

The Cybersecurity and Infrastructure Security Agency (CISA) has opened the information about serious attacks
on two Public servers of the US Federal Agency. The attackers took advantage of a critical vulnerability in Adobe
Coldfusion, designated as cve-2023-26360.

The vulnerability, which was published in March, has become a significant concern. However, the US Federal Agencies
were given until April 5 to address this vulnerability. Unfortunately, it was discovered in June and July that the
vulnerability had not been patched, largely due to Adobe’s negligence. This allowed the attackers to successfully
exploit vulnerable systems for an extended period of time.

CISA did not disclose whether the vulnerability was eventually completely eliminated and has not identified the
perpetrators behind these attacks. The agency also did not provide an official statement regarding the missed
period for correction.

Through log analysis, it was determined that two separate attacks targeted the federal servers. Both servers were
using outdated versions of Coldfusion and were susceptible to multiple CVEs. The attackers executed various actions
on the compromised servers, which included leveraging the vulnerability to install malicious software.

While CISA cannot confirm if any data was stolen, it is believed that both attacks were conducted for the purpose
of reconnaissance to gather information about the wider network. It is unclear if these attacks are linked to the
same group of attackers.

The first attack occurred on June 2, where the attackers gained access to the server using the CVE-2023-26360
vulnerability and performed various intelligence operations. However, their subsequent attempts to access accounts
and modify settings on the compromised servers were unsuccessful.

The second breach took place on June 26. The attackers again exploited the CVE-2023-26360 vulnerability and
extensively studied the system. However, they were unable to decrypt passwords as the malicious code was designed
for older versions of Coldfusion.

CISA highlights that the attackers likely obtained the CID value and Coldfusion

/Reports, release notes, official announcements.