Anonymous Said to be Exploiting ColdFusion in Government Hacks

Photo credit: Bad Man Production/
Photo credit: Bad Man Production/

Investigators believe the attacks, which have hit several public-sector agencies, began about a year ago when Anonymous member Lauri Love (indicted in October for hacking NASA) and others found that they could take advantage of security flaw in Adobe's web application development platform.

As Infosecurity previously reported, the FBI believes the attacks are a widespread problem that should be addressed, which has already affected employees, contractors, family members and others associated with the US Army, Department of Energy, Department of Health and Human Services, and perhaps many more agencies. The breached data includes personal information of at least 104,000 associated with the Department of Energy, and information on about 20,000 bank accounts.

Adobe ColdFusion has 61 known vulnerabilities. It’s unclear which vulnerability is being used by Anonymous, but right now, only one flaw is listed by Adobe as having an active exploit associated with it. CVE-2013-3336 is a critical vulnerability affecting ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX – Adobe has issued a hotfix for the issue. In unpatched versions, it could permit an unauthorized user to remotely retrieve files stored on the server.

In January, just after the Anonymous attacks reportedly started, the company issued a warning that attackers were exploiting unpatched vulnerabilities in ColdFusion. And then in April, web hosting provider Linode said that it had been hit with a zero-day attack that compromised its database, including credit card numbers, parts of the source code and passwords. In a security notice the company said that it has instigated a full password reset for all accounts in the wake of the hit. The hackers used vulnerabilities in Adobe ColdFusion (CVE-2013-1387 and CVE-2013-1388) to carry out the operation. Ironically, it was a vulnerability that Adobe patched less than a week before.

Most recently, Adobe released security hotfixes for versions 10, 9.0.2, 9.0.1 and 9.0 of its ColdFusion application server in November, which address a critical vulnerability that could allow remote, unauthenticated attackers to read information from a vulnerable server and a reflected cross-site scripting (XSS) whose exploitation requires authentication.

We could soon see more zero-days: this fall Adobe announced that the source code for numerous Adobe products, including Acrobat and ColdFusion, had been stolen, along with millions of customer IDs, passwords and credit-card details.

What’s hot on Infosecurity Magazine?