Delaware, USA – November 9, 2018 – A group of cybercriminals allegedly related to the Chinese government actively exploits an unauthenticated file upload vulnerability (CVE-2018-15961) in Adobe ColdFusion servers to install China Chopper backdoor. Researchers from Volexity spotted first attacks in the wild at the end of September, two weeks after the release of the update closing this vulnerability. Attackers analyzed the update and developed an exploit for unpatched ColdFusion servers. Cybercriminals exploit CVE-2018-15961 to upload the JSP version of the backdoor and execute commands on the attacked web server. ColdFusion restricts the file types that are allowed for upload via CKEditor, but .jsp extension is not included in the default configuration file. It is not known for what purposes adversaries plan to use compromised servers; the installed backdoor allowed them to completely take control of the server and use it for watering hole attacks, to host malware or as a proxy in future operations.
CVE-2018-15961 affects all versions of ColdFusion released over the last four years. If you are using a vulnerable version, you need to install the latest updates and make sure that adversaries have not installed a backdoor on the server. You can also use the Web Application Security Framework rule pack for ArcSight to detect attacks on your resources in a timely manner and cope with them before they cause severe damage: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight