Servers have always been attractive targets for threat actors due to their high privilege levels and potential for lateral movement within a network. Recently, Sophos X-Ops observed a variety of threats being delivered to servers, including Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells.
In September and early October, there were several attempts by an unknown actor to exploit vulnerabilities in outdated versions of Adobe’s ColdFusion Server software. These attempts aimed to gain access to Windows servers running on the software and deploy ransomware. Although these attacks were unsuccessful, they provided valuable telemetry that allowed Sophos to associate them with a single actor or group of actors.
The retrieved files showed that the attacker was trying to deploy ransomware created using leaked source code from the LockBit 3.0 ransomware family. Similar ransomware was also used in a WS-FTP exploitation campaign. The article discusses the telemetry observed in one Sophos customer’s network and the tools and techniques used.
Fortunately, all attempts to compromise the servers were blocked by Sophos’ endpoint behavioral detections. Suspicious “living off the land binary” (LoLBIN) process initiations originating from the targeted servers were detected and prevented.
The article provides a detailed timeline of the attacker’s actions, showcasing their various attempts to exploit the server and deploy different payloads. However, all of their efforts were consistently blocked by Sophos’ defenses, including behavioral rules and other layers of protection.
Following the telemetry trail, Sophos discovered that the attacker unintentionally left directory listings enabled on the web server hosting their repository of tools. This allowed Sophos to explore the contents of the repository and find all the artifacts the attacker had attempted to deploy, including the final ransomware payload.
The ransomware variant discovered in the repository appears to be a new family of ransomware with a possible link to the leaked source code of LockBit 3.0. The ransom note file left by the attacker credits “BlackDogs 2023” and demands a ransom of 205 Monero (equivalent to roughly $30,000 US).
The article emphasizes the risks associated with outdated software, highlighting that the targeted servers were running an unsupported version of Adobe’s ColdFusion Server. With no bug fixes or updates available, these servers are vulnerable to exploitation. It is unclear which specific vulnerability was exploited in this attack, but the numerous vulnerabilities in the server software make it an attractive target for threat actors.
In conclusion, servers are highly targeted by threat actors due to their privileged access and potential for lateral movement within a network. Organizations must prioritize server security and ensure that their software is up to date and supported to mitigate the risk of successful attacks. Sophos’ endpoint behavioral detections and other layers of protection played a crucial role in blocking the attacker’s attempts to compromise the servers in this case.