ColdFusion Exploits in the News Again

ColdFusion is taking a bashing in the news this week. I think this is rather typical of the news because they can blame an actual company. Whereas the massive numbers of PHP exploits go unreported in the regular news. There's no company to blame for PHP failures. Just my humble opinion on the motives of the news media.

The truth:
The "New Exploits" are not new, but just newly reported servers that were hit by the same exploit from a year ago. In some cases it was not discovered until recently.

The "ColdFusion BotNet" that is being talked about in the news was taken down last year. The FBI has the person and servers that were collecting data. I have not been able to get any FBI agent to say that exactly, but I have read news reports alluding to the fact. That and the fact that the FBI has been notifying people whose servers have been found listed on the "Botnet control panel". Was there more than one Botnet? Could be?

Most blog posts on this subject are full of hype and lack details. The only blog post that has the details is mine that Mark Kruger, aka. ColdFusion Muse published on his blog. The hack referenced above is two fold. One involving ColdFusion and the other involving IIS.

One of the servers being discussed is currently a client of ours at CF Webtools. They came to us with a compromised server seeking help. We took care of them.

The reminders to make sure your ColdFusion servers are patched just keep coming in! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers.

UPDATE:
Fellow ColdFusion Guru David C. Epler posted a detailed article on the origins of this exploit in ColdFusion and when it was introduced.

Who Patches Your ColdFusion Servers?

BUSINESS OWNERS: Who is responsible for patching your ColdFusion Servers?

This isn't a trick question. Do you know who is responsible for patching your CF servers?

Do you host your own servers? If so, then you have a Systems Administrator that keeps them patched. Right?

Are you using a Hosting Provider? Are they keeping your servers up to date? Are they keeping ColdFusion patched? Or, is that still the responsibility of your IT team? If you are using a hosting provider, make sure to check your service level agreement (SLA) to see whose job it is to keep your servers patched. In many cases (such as having VPS(s) or Co-located servers) the hosting provider may not do any maintenance. To say that it's better to find this out before you sign an SLA is an understatement. Seriously.

If you're running a company and you don't know the answers to these questions, you owe it to yourself (and your investors) to find out - NOW.

Here's why.
ColdFusion servers are under attack. These are not new attacks. They are ongoing attacks against unpatched ColdFusion servers and it's been going on for well over a year. There are patches for ColdFusion 9, 10 and 11, but versions 8 and previous can be vulnerable, and in fact, are vulnerable. If you're running ColdFusion 8 or older then there is a chance that these patches are not installed according to the Adobe Lockdown Guides (CF9 CF10 CF11).

At CF Webtools we've been receiving calls from companies that have had their servers breached; and, while we like the business - $$$ - we'd rather be called before your servers are breached and not after. Patching and securing a server is far easier than trying to repair one that has already been breached. In worst cases, we've had to either replace or reinstall the entire server from scratch.

So back to my opening question... Who is responsible for patching your servers? I'm not trying to scare you or create a panic, but, I am trying to make you AWARE. Servers that get attacked is nothing new – unfortunately, it happens all the time.

But these attacks are something we know about. We know how they're being done, and even more importantly, we know how to prevent them from getting in.

If no one on your IT team is responsible for patching the servers and/or your hosting company isn't patching the servers then, who will? Who will make sure they are secure? We will.

* UPDATE: This article was updated to include information for ColdFusion 11

ColdFusion Vulnerability Used to Install IIS Malware

First let me point out that the vulnerability that was found has a patch that has been available since January of 2013. So patch your servers!

While working on servers for our clients at CF Webtools, I found a nasty little Trojan that was slipped onto a client server that was stealing credit card information. I first read back about this type of attack in December 2013 from PCWorld - Attackers exploited ColdFusion vulnerability to install Microsoft IIS malware. The quick rundown is that an unpatched ColdFusion server allowed an attacker to slip a hidden IIS module onto the server and install it in IIS. This IIS Module then steals the credit card data as it passes through IIS. I have the full details posted over on Mark Kruger's, aka. ColdFusion Muse blog.

Yet one more reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers.