Sophos, a global leader in cybersecurity solutions, has revealed an attack by the Cring ransomware operators against a target after hacking a server running an unpatched, 11-year-old version of Adobe’s ColdFusion 9 software.
The target used the server to collect timesheet and accounting data for payroll and to host multiple virtual machines. The attackers breached the internet-facing server in minutes and executed the ransomware 79 hours later.
“Devices running vulnerable, outdated software are low-hanging-fruit for cyberattackers looking for an easy way into a target,” said Andrew Brandt, principal researcher at Sophos. “In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use.”
Unpatched internet-facing servers or other devices are prime targets for cyberattackers scanning a company’s attack surface for vulnerable entry points. This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet.
Sophos’ analysis shows that the attackers began by scanning the target’s website using automated tools and were able to break in within minutes once they identified that it was running the unpatched ColdFusion on a server.
Sophos found that following the initial breach, the attackers used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by over-writing files with garbled data or deleting logs and other artifacts that threat hunters could use in an investigation. The attackers were also able to disable security products because the tamper-protection functionality was switched off.