![cobalt strike beacon upload cobalt strike beacon upload](https://www.cobaltstrike.com/wp-content/uploads/2016/09/cobaltstrike_ssh2.png)
#COBALT STRIKE BEACON UPLOAD WINDOWS#
The ransom note appears on the Windows login screen, as a “message of the day” rather than just as a text file on the desktop. The attackers deleted the Volume Shadow Copies, cleared the Event Logs afterward, re-enabled the Sophos security products they had previously disabled. Using the beacon to upload files and execute commands on the now-compromised server, the attackers dropped several files into C:ProgramDataįinally, at about 79 hours after the initial breach of the ColdFusion server, the attacker delivered a ransomware executable named msp.exe ran, encrypting the system and the folders containing the virtual machine disk images. Roughly 62 hours later, just before midnight on a Saturday night/Sunday morning, the attackers returned. Using the beacon, they afterward overwrote the file that contained the web shell, deliberately writing garbled data over the files to hinder any future investigation. The attacker wrote out the web shell, encoded in base64, from c:windowstempcsa.log to E:cf9_finalcfusionThey then attempted to use the web shell to load a Cobalt Strike beacon executable onto the server. That file may have been this web shell code, designed to pass parameters directly to the Windows command shell, which was recovered from the server inside of a Cascading Stylesheet (CSS) file. This permitted the attacker to upload a file to the ColdFusion server by performing an HTTP POST to the /flex2gateway/amf path on the server. Next, the attacker appears to have exploited another vulnerability in ColdFusion, CVE-2009-3960, which permits a remote attacker to inject data through an abuse of ColdFusion’s XML handling protocols. In this case, they retrieved a file called password.properties from the server. Three minutes later, the attacker took advantage of CVE-2010-2861, a directory traversal vulnerability in ColdFusion that permits a remote user to retrieve files from web server directories that aren’t supposed to be available to the public.
![cobalt strike beacon upload cobalt strike beacon upload](https://thedfirreport.com/wp-content/uploads/2021/07/image-3.png)
Scans by the threat actor revealed they found these web server pages used by ColdFusion The scans revealed that the web server was hosting valid files and URI paths specific to ColdFusion installations, such as /admin.cfm, /login.cfm, and /CFIDE/Administrator/. Logs from the server indicate that an attacker, using an internet address assigned to Ukrainian ISP Green Floid, began scanning the target’s website just before 10am local time, using an automated tool to try to browse to more than 9000 paths on the target’s website in just 76 seconds.
#COBALT STRIKE BEACON UPLOAD SOFTWARE#
The incident serves as a stark reminder that IT administrators cannot leave out-of-date critical business systems facing the public internet.ĭespite the age of the software and the server, the attacker used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by deleting logs and other artifacts that could be used in an investigation. As a result, neither the operating system nor the ColdFusion software could be patched. Adobe declared end-of-life for ColdFusion 9 in 2016.
![cobalt strike beacon upload cobalt strike beacon upload](https://res-2.cloudinary.com/xpnsec/image/upload/q_auto/v1/images/2021/01/dnskey.png)
The server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft end-of-lifed in January, 2020. While several other machines were “bricked” by the ransomware, the server hosting ColdFusion was partially recoverable, and Sophos was able to pull evidence in the form of logs and files from the machine. In an attack recently investigated by Sophos, an unknown threat actor exploited an ancient-in-internet-years vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of the ColdFusion server remotely, then to execute ransomware known as Cring on the server, and against other machines on the target’s network.