Sophos a global head in next-generation cybersecurity, has issue research, “Cring Ransomware Exploits Ancient ColdFusion Server,” describing a sophisticated attack the Cring ransomware operators mounted against a target after hacking a server running an unpatched, 11-year-old version of Adobe’s ColdFusion 9 software. The target used the server to collect timesheet and accounting data for payroll and to host multiple virtual machines. The attackers breached the internet-facing server in minutes and executed the ransomware 79 hours later.
Andrew Brandt, principal researcher at Sophos, said “Devices running vulnerable, outdated software are low-hanging-fruit for cyberattackers looking for an easy way into a target,” s. “Cring ransomware isn’t new, but it’s uncommon. In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.
“But, regardless of what the status is – in use or inactive – unpatched internet-facing servers or other devices are prime targets for cyberattackers scanning a company’s attack surface for vulnerable entry points. This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organizations have these devices anywhere on their network, they can be sure that cyberattackers will be attracted to them. Don’t make life easy for cybercriminals.”
Sophos found that following the initial breach, the attackers used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by over-writing files with garbled data or deleting logs and other artifacts that threat hunters could use in an investigation. The attackers were also able to disable security products because the tamper-protection functionality was switched off.