Forgotten, unpatched and outdated software is an ideal gateway for cyber criminals. This is also the case in the current case of a ransomware attack that an 11-year-old Adobe ColdFusion software used on a server for itself.
Sophos has uncovered a particularly clever attack called "Cring Ransomware Exploits Ancient ColdFusion Server". Cring ransomware operators attacked their victim after hacking a server running an unpatched, 11-year-old version of Adobe ColdFusion software. The victim used the server to collect worksheets and accounting data for payroll and to host a number of virtual machines. The attackers broke into the internet-enabled server within a few minutes and executed the ransomware 79 hours later.
Criminals used sophisticated techniques
The Sophos investigation revealed that the attackers' first step was to use automated tools to scan the victim's website. Once they found out that an unpatched version of ColdFusion was running on the server, they could intrude within minutes. Then they use particularly sophisticated cover-up techniques: They initiated coding code into memory and covered their tracks with overwriting files with incorrect data or deleted logs and other artifacts that Threat Hunter use in their investigations. The hackers were also able to deactivate security products because the tamper protection function was switched off. Eventually they published a note that they had exfiltrated data that they would publish if it did not come to a “good deal”.
Old software is a dangerous gateway
“Devices that use vulnerable and outdated software are exactly the gateways that cybercriminals look for as the easiest route to their victims. The Cring ransomware is not new, but it is rare. In the case examined, the target of the attack was a service company in which only an Internet-enabled server with outdated and unpatched software opened the door to the attack. What is amazing is that this server was in daily use. Often times, the most vulnerable devices are the inactive ones that were either forgotten or overlooked when upgrading or patching. But regardless of the status - active or inactive - unpatched, internet-enabled servers or devices are the primary targets for cyber criminals who scan for vulnerable entry points. IT administrators should therefore have a precise inventory of all connected devices and not put old, critical company systems on the public network. If organizations have such devices anywhere on their network, they can be almost certain that cybercriminals will be attracted to them. ”According to Andrew Brandt, Principal Researcher at Sophos.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.