www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:88d::447a
Public Scan
URL:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a
Submission: On December 11 via api from SA — Scanned from DE
Submission: On December 11 via api from SA — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutives
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
THREAT ACTORS EXPLOIT ADOBE COLDFUSION CVE-2023-26360 FOR INITIAL ACCESS TO
GOVERNMENT SERVERS
Release Date
December 05, 2023
Alert Code
AA23-339A
Related topics:
Cyber Threats and Advisories
ACTIONS TO TAKE TODAY TO MITIGATE MALICIOUS CYBER ACTIVITY:
1. Prioritize remediating known exploited vulnerabilities.
2. Employ proper network segmentation.
3. Enable multifactor authentication (MFA) for all services to the extent
possible, particularly for webmail, VPN, and accounts that access critical
systems.
SUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a
Cybersecurity Advisory (CSA) in response to confirmed exploitation of
CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive
Branch (FCEB) agency. This vulnerability presents as an improper access control
issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021
Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and
ColdFusion 11 installations; however, they are no longer supported since they
reached end of life. Exploitation of this CVE can result in arbitrary code
execution. Following the FCEB agency’s investigation, analysis of network logs
confirmed the compromise of at least two public-facing servers within the
environment between June and July 2023.
This CSA provides network defenders with tactics, techniques, and procedures
(TTPs), indicators of compromise (IOCs), and methods to detect and protect
against similar exploitation.
Download the PDF version of this report:
AA23-339A Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial
Access to Government Servers (PDF, 449.49 KB )
For a downloadable copy of IOCs, see:
AA23-339A STIX XML (XML, 23.83 KB )
AA23-339A STIX JSON (JSON, 23.29 KB )
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise(link is external)
framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for
tables mapped to the threat actors’ activity.
OVERVIEW
Adobe ColdFusion is a commercial application server used for rapid
web-application development. ColdFusion supports proprietary markup languages
for building web applications and integrates external components like databases
and other third-party libraries. ColdFusion uses a proprietary language,
ColdFusion Markup Language (CFML), for development but the application itself is
built using JAVA.
In June 2023, through the exploitation of CVE-2023-26360, threat actors were
able to establish an initial foothold on two agency systems in two separate
instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of
the potential exploitation of an Adobe ColdFusion vulnerability on public-facing
web servers in the agency’s pre-production environment. Both servers were
running outdated versions of software which are vulnerable to various CVEs.
Additionally, various commands were initiated by the threat actors on the
compromised web servers; the exploited vulnerability allowed the threat actors
to drop malware using HTTP POST commands to the directory path associated with
ColdFusion.
Analysis suggests that the malicious activity conducted by the threat actors was
a reconnaissance effort to map the broader network. No evidence is available to
confirm successful data exfiltration or lateral movement during either incident.
Note: It is unknown if the same or different threat actors were behind each
incident.
INCIDENT 1
As early as June 26, 2023, threat actors obtained an initial foothold on a
public-facing [T1190(link is external)] web server running Adobe ColdFusion
v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully
connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA
recommends organizations investigate or vet this IP address prior to taking
action, such as blocking. This IP resolves to a public cloud service provider
and possibly hosts a large volume of legitimate traffic.
The agency’s correlation of Internet Information Services (IIS) logs against
open source[1(link is external)] information indicates that the identified
uniform resource identifier (URI)
/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to
exploit CVE-2023-26360. The agency removed the asset from the network within 24
hours of the MDE alert.
Threat actors started process enumeration to obtain currently running processes
on the web server and performed a network connectivity check, likely to confirm
their connection was successful. Following additional enumeration efforts to
obtain information about the web server and its operating system [T1082(link is
external)], the threat actors checked for the presence of ColdFusion version
2018 [T1518(link is external)]—previous checks were also conducted against
version 2016.
Threat actors were observed traversing the filesystem [T1083(link is external)]
and uploading various artifacts to the web server [T1105(link is external)], to
include deleting the file tat.cfm [T1070.004(link is external)]. Note: This file
was deleted prior to the victim locating it on the host for analysis. Its
characteristics and functionality are unknown. In addition:
* Certutil[2(link is external)] was run against conf.txt [T1140(link is
external)] and decoded as a web shell (config.jsp) [T1505.003(link is
external)],[T1036.008(link is external)]. Conf.txt was subsequently deleted,
likely to evade detection.
Note: Threat actors were only observed interacting with the config.jsp web
shell from this point on.
* HTTP POST requests [T1071.001(link is external)] were made to config.cfm, an
expected configuration file in a standard installation of ColdFusion
[T1036.005(link is external)]. Code review of config.cfm indicated malicious
code—intended to execute on versions of ColdFusion 9 or less—was inserted
with the intent to extract username, password, and data source uniform
resource locators (URLs). According to analysis, this code insertion could be
used in future malicious activity by the threat actors (e.g., by using the
valid credentials that were compromised). This file also contained code used
to upload additional files by the threat actors; however, the agency was
unable to identify the source of their origin.
* Threat actors attempted to run attrib.exe to hide the newly created
config.jsp web shell [T1564.001(link is external)]. Analysis of this phase
found no indication of successful execution.
* A small subset of events generated from various ColdFusion application logs
identified that tat.cfm, config.jsp, and system.cfm failed to execute on the
host due to syntax errors.
Threat actors created various files (see Table 1 below) in the C:\IBM directory
using the initialization process coldfusion.exe. None of these files were
located on the server (possibly due to threat actor deletion) but are assessed
as likely threat actor tools. Analysts assessed the C:\IBM directory as a
staging folder to support threat actors’ malicious operations.
Disclaimer: Organizations are encouraged to investigate the use of these files
for related signs of compromise prior to performing remediation actions. Two
artifacts are legitimate Microsoft files; threat actors were observed using
these files following initial compromise for intended malicious purposes.
Table 1: Threat Actor Tools
File Name
Hash (SHA-1)
Description
File Name
eee.exe
Hash (SHA-1)
b6818d2d5cbd902ce23461f24fc47e24937250e6
Description
VirusTotal[3(link is external)] flags this file as malicious. This was located
in D:\$RECYCLE.BIN.
File Name
edge.exe
Hash (SHA-1)
75a8ceded496269e9877c2d55f6ce13551d93ff4
Description
The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe
but received an error.
Note: This file is part of the official Microsoft Edge browser and is a cookie
exporter.
File Name
fscan.exe
Hash (SHA-1)
be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656
Description
Analysis confirmed at least three subnets were scanned using fscan.exe, which
was launched from the C:\IBM directory [T1046(link is external)].
File Name
RC.exe
Hash (SHA-1)
9126b8320d18a52b1315d5ada08e1c380d18806b
Description
RCDLL.dll attempted to execute via RC.exe but received an error.
Note: This file is part of the official Windows operating system and is called
Microsoft Resource Compiler.
Note: The malicious code found on the system during this incident contained code
that, when executed, would attempt to decrypt passwords for ColdFusion data
sources. The seed value included in the code is a known value for ColdFusion
version 8 or older—where the seed value was hard-coded. A threat actor who has
control over the database server can use the values to decrypt the data source
passwords in ColdFusion version 8 or older. The victim’s servers were running a
newer version at the time of compromise; thus, the malicious code failed to
decrypt passwords using the default hard-coded seed value for the older
versions.
INCIDENT 2
As early as June 2, 2023, threat actors obtained an initial foothold on an
additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via
malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360.
Threat actors further enumerated domain trusts to identify lateral movement
opportunities [T1482(link is external)] by using nltest commands. The threat
actors also collected information about local [T1087.001(link is external)] and
domain [T1087.002(link is external)] administrative user accounts while
performing reconnaissance by using commands such as localgroup, net user, net
user /domain, and ID. Host and network reconnaissance efforts were further
conducted to discover network configuration, time logs, and query user
information.
Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST
command in addition to eight malicious artifacts (hiddenfield.jsp,
hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp,
Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/).
According to open source information, d.jsp is a remote access trojan (RAT) that
utilizes a JavaScript loader [T1059.007(link is external)] to infect the device
and requires communication with the actor-controlled server to perform
actions.[4(link is external)] The agency’s analysis identified the trojan as a
modified version of a publicly available web shell code.[5(link is external)]
After maintaining persistence, threat actors periodically tested network
connectivity by pinging Google’s domain name system (DNS) [T1016.001(link is
external)]. The threat actors conducted additional reconnaissance efforts via
searching for the .jsp files that were uploaded.
Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip,
blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were
not successful due to the malicious activity being detected and quarantined. An
additional file (sys.zip) was created on the system; however, there were no
indications of any attempt to exfiltrate it. Analysis identified these files
resulted from executed save and compress data processes from the
HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager
(SAM) [T1003.002(link is external)] information to .zip files. The SAM Registry
file may allow for malicious actors to obtain usernames and reverse engineer
passwords; however, no artifacts were available to confirm that the threat
actors were successful in exfiltrating the SAM Registry hive.
Windows event logs show that a malicious file (1.dat) was detected and
quarantined. Analysis determined this file was a local security authority
subsystem service (LSASS) dump [T1003.001(link is external)] file that contained
user accounts—to include multiple disabled credentials—and Windows new
technology LAN manager (NTLM) passwords. The accounts were found on multiple
servers across the victim’s network and were not successfully used for lateral
movement.
As efforts for reconnaissance continued, the threat actors changed their
approach to using security tools that were present on the victim server.
Esentutl.exe[6(link is external)] was used to attempt this registry dump.
Attempts to download data from the threat actors’ command and control (C2)
server were also observed but blocked and logged by the victim server. Threat
actors further attempted to access SYSVOL, which is used to deliver policy and
logon scripts to domain members on an agency domain controller [T1484.001(link
is external)]. The attempt was unsuccessful. Had the attempt succeeded, the
threat actors may have been able to change policies across compromised
servers.[7(link is external)]
Note: During this incident, analysis strongly suggests that the threat actors
likely viewed the data contained in the ColdFusion seed.properties file via the
web shell interface. The seed.properties file contains the seed value and
encryption method used to encrypt passwords. The seed values can also be used to
decrypt passwords. No malicious code was found on the victim system to indicate
the threat actors attempted to decode any passwords using the values found in
seed.properties file. Versions of ColdFusion 9 or greater use the
seed.properties file, which contains unique seed values that can only be used on
a single server.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2-9 for all referenced threat actor tactics and techniques for
enterprise environments in this advisory. For assistance with mapping malicious
cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best
Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool(link is external).
Table 2: Initial Access
Technique Title
ID
Use
Technique Title
Exploit Public-Facing Application
ID
T1190(link is external)
Use
Threat actors exploited two public-facing web servers running outdated versions
of Adobe ColdFusion.
Table 3: Execution
Technique Title
ID
Use
Technique Title
Command and Scripting Interpreter: JavaScript
ID
T1059.007(link is external)
Use
In correlation with open source information, analysis determined d.jsp is a RAT
that utilizes a JavaScript loader to infect the device and requires
communication with the actor-controlled server to perform actions.
Table 4: Persistence
Technique Title
ID
Use
Technique Title
Server Software Component: Web Shell
ID
T1505.003(link is external)
Use
Threat actors uploaded various web shells to enable remote code execution and to
execute commands on compromised web servers.
Table 5: Privilege Escalation
Technique Title
ID
Use
Technique Title
Domain Policy Modification: Group Policy Modification
ID
T1484.001(link is external)
Use
Threat actors attempted to edit SYSVOL on an agency domain controller to change
policies.
Table 6: Defense Evasion
Technique Title
ID
Use
Technique Title
Masquerading: Match Legitimate Name or Location
ID
T1036.005(link is external)
Use
Threat actors inserted malicious code with the intent to extract username,
password, and data source URLs into config.cfm—an expected configuration file in
a standard installation of ColdFusion.
Technique Title
Masquerading: Masquerade File Type
ID
T1036.008(link is external)
Use
Threat actors used the .txt file extension to disguise malware files.
Technique Title
Indicator Removal: File Deletion
ID
T1070.004(link is external)
Use
Threat actors deleted files following upload to remove malicious indicators.
Technique Title
Deobfuscate/Decode Files or Information
ID
T1140(link is external)
Use
Threat actors used certutil to decode web shells hidden inside .txt files.
Technique Title
Hide Artifacts: Hidden Files and Directories
ID
T1564.001(link is external)
Use
Threat actors attempted to run attrib.exe to hide the newly created config.jsp
web shell.
Table 7: Credential Access
Technique Title
ID
Use
Technique Title
OS Credential Dumping: LSASS Memory
ID
T1003.001(link is external)
Use
Threat actors attempted to harvest user account credentials through LSASS memory
dumping.
Technique Title
OS Credential Dumping: Security Account Manager
ID
T1003.002(link is external)
Use
Threat actors saved and compressed SAM information to .zip files.
Table 8: Discovery
Technique Title
ID
Use
System Network Configuration Discovery: Internet Connection Discovery
T1016.001(link is external)
Threat actors periodically tested network connectivity by pinging Google’s DNS.
Network Service Discovery
T1046(link is external)
Threat actors scanned at least three subnets to gather network information using
fscan.exe, to include administrative data for future exfiltration.
System Information Discovery
T1082(link is external)
Threat actors collected information about the web server and its operating
system.
File and Directory Discovery
T1083(link is external)
Threat actors traversed and were able to search through folders on the victim’s
web server filesystem. Additional reconnaissance efforts were conducted via
searching for the .jsp files that were uploaded.
Account Discovery: Local Account
T1087.001(link is external)
Threat actors collected information about local user accounts.
Account Discovery: Domain Account
T1087.002(link is external)
Threat actors collected information about domain users, including identification
of domain admin accounts.
Domain Trust Discovery
T1482(link is external)
Threat actors enumerated domain trusts to identify lateral movement
opportunities.
Software Discovery
T1518(link is external)
Following initial access and enumeration, threat actors checked for the presence
of ColdFusion version 2018 on the victim web server.
Table 9: Command and Control
Technique Title
ID
Use
Application Layer Protocol: Web Protocols
T1071.001(link is external)
Threat actors used HTTP POST requests to config.cfm, an expected configuration
file in a standard installation of ColdFusion.
Ingress Tool Transfer
T1105(link is external)
Threat actors were able to upload malicious artifacts to the victim web server.
MITIGATIONS
CISA recommends organizations implement the mitigations below to improve your
organization’s cybersecurity posture based on threat actor activity. These
mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs)
developed by CISA and the National Institute of Standards and Technology (NIST).
The CPGs provide a minimum set of practices and protections that CISA and NIST
recommend all organizations implement. CISA and NIST based the CPGs on existing
cybersecurity frameworks and guidance to protect against the most common and
impactful threats, tactics, techniques, and procedures. Visit CISA’s
Cross-Sector Cybersecurity Performance Goals for more information on the CPGs,
including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network
defenders. CISA recommends that software manufacturers incorporate
secure-by-design and -default principles and tactics into their software
development practices, limiting the impact of threat actor techniques and
strengthening the security posture for their customers. For more information on
secure by design, see CISA’s Secure by Design webpage.
MANAGE VULNERABILITIES AND CONFIGURATIONS
* Upgrade all versions affected by this vulnerability. Keep all software up to
date and prioritize patching according to CISA’s Known Exploited
Vulnerabilities Catalog [1.E].
* Prioritize remediation of vulnerabilities on internet-facing systems, for
example, by conducting continuous automated and/or routine vulnerability
scans.
* Prioritize secure-by-default configurations such as eliminating default
passwords, implementing single sign-on (SSO) technology via modern open
standards. This also includes disabling default credentials.
SEGMENT NETWORKS
* Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F].
The end goal of a DMZ network is to allow an organization to access untrusted
networks, such as the internet, while ensuring its private network or local
area network (LAN) remains secure. Organizations typically store
external-facing services and resources—as well as servers used for DNS, file
transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and
web servers in the DMZ.
* Use a firewall or web-application firewall (WAF) and enable logging [2.G,
2.T] to prevent/detect potential exploitation attempts. Review ingress and
egress firewall rules and block all unapproved protocols. Limit risky (but
approved) protocols through rules.
* Implement network segmentation to separate network segments based on role and
functionality [2.E]. Proper network segmentation significantly reduces the
ability for threat actor lateral movement by controlling traffic flows
between—and access to—various subnetworks. See CISA’s Layering Network
Security Through Segmentation infographic and the National Security Agency’s
(NSA’s) Segment Networks and Deploy Application-Aware Defenses.
* Deploy application-aware network defenses to block improperly formed traffic
and restrict content, according to policy and legal authorizations.
Traditional intrusion detection systems (IDS) based on known-bad signatures
are quickly decreasing in effectiveness due to encryption and obfuscation
techniques. Threat actors hide malicious actions and remove data over common
protocols, making the need for sophisticated, application-aware defensive
mechanisms critical for modern network defenses.
APPLICATION CONTROL
* Enforce signed software execution policies. Use a modern operating system
that enforces signed software execution policies for scripts, executables,
device drivers, and system firmware. Maintain a list of trusted certificates
to prevent and detect the use and injection of illegitimate executables.
Execution policies, when used in conjunction with a secure boot capability,
can assure system integrity.
* Application control should be used with signed software execution policies to
provide greater control. Allowing unsigned software enables threat actors to
gain a foothold and establish persistence through embedded malicious code.
See NSA’s Enforce Signed Software Execution Policies.
MANAGE ACCOUNTS, PERMISSIONS, AND WORKSTATIONS
* Require phishing-resistant multifactor authentication (MFA) [2.H] for all
services to the extent possible, particularly for webmail, VPN, and accounts
that access critical systems.
* Implement the principle of least privilege to decrease threat actors’
abilities to access key network resources.
* Restrict file and directory permissions. Use file system access controls to
protect folders such as C:\Windows\System32.
* Restrict NTLM authentication policy settings, including incoming NTLM traffic
from client computers, other member servers, or a domain controller.[8(link
is external)]
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and
validating your organization's security program against the threat behaviors
mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA
recommends testing your existing security controls inventory to assess how they
perform against the ATT&CK techniques described in this advisory.
To get started:
1. Select an ATT&CK technique described in this advisory (see Tables 2-9).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of
comprehensive performance data.
6. Tune your security program, including people, processes, and technologies,
based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a
production environment to ensure optimal performance against the MITRE ATT&CK
techniques identified in this advisory.
RESOURCES
* NIST: CVE-2023-26360
* CISA: KEV Catalog
* CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
* CISA: Decider Tool(link is external)
* CISA: Cross-Sector Cybersecurity Performance Goals
* CISA: Secure by Design and Default
* CISA: Layering Network Security Through Segmentation
* NSA: Segment Networks and Deploy Application-Aware Defenses
* NSA: Enforce Signed Software Execution Policies
* CISA: Implementing Phishing-Resistant MFA
REFERENCES
[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code
Execution(link is external)
[2] MITRE: certutil(link is external)
[3] VirusTotal: File -
a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864(link is
external)
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with
RATs(link is external)
[5] GitHub: Tas9er/ByPassGodzilla(link is external)
[6] MITRE: esentutl(link is external)
[7] Microsoft: Active Directory - SYSVOL(link is external)
[8] Microsoft: Restrict NTLM - Incoming NTLM Traffic(link is external)
DISCLAIMER
The information in this report is being provided “as is” for informational
purposes only. CISA does not endorse any commercial entity, product, company, or
service, including any entities, products, or services linked within this
document. Any reference to specific commercial entities, products, processes, or
services by service mark, trademark, manufacturer, or otherwise, does not
constitute or imply endorsement, recommendation, or favoring by CISA.
VERSION HISTORY
December 5, 2023: Initial version.
This product is provided subject to this Notification and this Privacy &
Use policy.
TAGS
Topics
Cyber Threats and Advisories
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Dec 07, 2023
Cybersecurity Advisory | AA23-341A
RUSSIAN FSB CYBER ACTOR STAR BLIZZARD CONTINUES WORLDWIDE SPEAR-PHISHING
CAMPAIGNS
Dec 01, 2023
Cybersecurity Advisory | AA23-335A
IRGC-AFFILIATED CYBER ACTORS EXPLOIT PLCS IN MULTIPLE SECTORS, INCLUDING U.S.
WATER AND WASTEWATER SYSTEMS FACILITIES
Nov 21, 2023
Cybersecurity Advisory | AA23-325A
#STOPRANSOMWARE: LOCKBIT 3.0 RANSOMWARE AFFILIATES EXPLOIT CVE 2023-4966 CITRIX
BLEED VULNERABILITY
Nov 16, 2023
Cybersecurity Advisory | AA23-320A
SCATTERED SPIDER
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback