Adobe ColdFusion has been at the heart of several high-profile attacks affecting state and federal government agencies, as well as limousine service CorporateCarOnline. ColdFusion enables developers to connect HTML to databases when creating Web applications, but many of its enterprise users still run outdated implementations that are easy to exploit. Hackers have seized the opportunity and conducted campaigns that have harvested sensitive personal and financial data on hundreds of thousands of individuals.
“ColdFusion-induced breaches are definitely on the rise, which teaches us that hackers and security researchers are looking into this platform more and more as a green field for hacking endeavors,” observed Imperva’s Barry Shteiman.
To compound ColdFusion’s troubles, the recent theft of source code for ColdFusion and Adobe Acrobat may have given cyber criminals intricate knowledge of the vulnerabilities in many widely used applications. Given that some of the pilfered data from limousine customers was found on the same server containing the code, there is a clear link between the attack on Adobe’s cloud services and the escalation in ColdFusion exploits.
New cybercriminal attention to ColdFusion demonstrates the significant challenges that these organizations face in creating scalable yet secure IT operations. While ColdFusion is a critical tool in many environments, more needs to be done to address some of its underlying flaws, such as its weak password authentication and loosely guarded administrator privileges.
Limousine services company’s database may have been compromised by ColdFusion exploit
CorporateCarOnline is a Missouri-based provider of software management solutions for the limousine and Town Car services industry. Its website touts an array of security features, including firewalls and packet inspection, designed to keep client information safe in its data centers.
In early November, however, data on more than 850,000 CorporateCarOnline customers was discovered in a file stored on the same servers containing the stolen Adobe code, along with information harvested from PR Newswire in a similar attack. According to security researcher Brian Krebs, the file was alarmingly a plaintext record of client names, addresses and credit card numbers and expiration dates. Many of the cards were for high to no-limit American Express accounts, which have high resale value among cybercriminals.
The company’s ColdFusion implementation, which contained a known exploit, was likely the easiest route by which they could obtain troves of data on many prominent U.S. lawmakers, athletes, celebrities and CEOs. As Krebs noted, the depth of information on CorporateCarOnline’s elite clientele could become a key asset for spies, both in cyberspace and in the physical world.
“This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage,” explained Krebs. “Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.”
The breach of CorporateCarOnline’s databases underscores the urgency of shoring-up ColdFusion implementations lest they provide access to data that could cause widespread damage. Fortunately, Adobe Systems seems to be aware of the risks associated with older versions of ColdFusion.
In a detailed rundown of new security features in ColdFusion 10, Shilpi Khariwal explained that Adobe was addressing a wide range of potential vulnerabilities that could lead to cross-site scripting attacks, cross-site request forgery and session ID attacks. Ideally, ColdFusion 10 will be more secure than its predecessor, which exhibits a number of fundamental weaknesses in areas such as password authentication.
Breach at federal, state government agencies to outdated ColdFusion implementations
The stakes for securing ColdFusion are high, given that these basic vulnerabilities have already caused major problems in the public sector. The U.S. Department of Energy recently suffered a widespread breach that also had roots in a problematic ColdFusion implementation. First reported in July, the incident may have compromised personally identifiable information from more than 100,000 current and past DOE employees. Social Security Numbers, names and dates of birth were exposed.
“Based on the findings of the Department’s ongoing investigation into this incident, we do believe PII theft may have been the primary purpose of the attack,” stated the DOE’s frequently asked questions page. “Accordingly, the Department encourages each affected individual to be extra vigilant and to carefully monitor bank statements, credit card statements, emails and phone calls relating to recent financial transactions.”
InformationWeek’s Mathew Schwartz reported that the attackers targeted a system called DOEInfo that was written in an outdated version of ColdFusion and publicly available over the Internet. While an anonymous source described the application’s issues to Schwartz, it noted that the size of the system and the high cost of overhauling it had prevented the DOE from patching the vulnerabilities.
The Administrative Office of the Courts in Washington state experienced a similar breach. That incident exposed 160,000 Social Security Numbers and more than 1 million driver’s license numbers. As in the CorporateCarOnline case, the stolen data was stored in plaintext and the exact nature of the ColdFusion exploit was unknown. The latter aspect may be the most troubling, since attackers appear to have a wide range of possible weaknesses in ColdFusion 9 to choose from.
Staying on top of the growing ColdFusion threat
A number of ColdFusion exploits began appearing on Metasploit in early 2013. One vulnerability affecting ColdFusion 9.x implementations could bypass authentication and provide attackers with administrator-level access to the ColdFusion system. The flaws in ColdFusion run deep, with its administrator privileges not properly hardened into the platform.
While some institutions like Administrative Office of the Courts have been diligent about patching their systems in response to these incidents and discoveries, organizations may need to seek additional help from the cybersecurity community. Many are struggling to assess the broad range of risks that IT infrastructure faces from unpatched software, as well as business partnerships with third-party vendors that may supply ColdFusion applications.
At the same time, the CorporateCarOnline and government breaches reveal the troubling practice of storing data in plaintext. While ColdFusion enabled these attacks, sensitive information would have been safer if it had been encrypted.
Moreover, organizations should take the opportunity to redouble their cybersecurity practices across the entire network by encrypting more assets and getting assistance in updating and patching ColdFusion. With Adobe already focusing on shoring-up the vulnerabilities from ColdFusion 9, ideally companies will update to ColdFusion 10 and work with cybersecurity providers to keep tabs on potential weaknesses that can be addressed in the future.