The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, revealing that an unknown group of hackers infiltrated the servers of a federal government agency. The breach was made possible by exploiting a vulnerability in software that was no longer receiving updates. CISA’s advisory disclosed that the attacks took place in June and July, targeting public-facing servers running outdated Adobe ColdFusion software, which is used for building web applications.
CISA cautions that outdated and unsupported software can serve as a gateway for hackers to breach systems and gain unauthorized access. It emphasizes the importance of promptly patching vulnerabilities and transitioning away from end-of-life software to ensure the security of critical systems.
The fact that the software was considered “end-of-life” meant that the agency could not have patched the vulnerability, even if it had wanted to. End-of-life software refers to applications for which the developer has publicly announced the discontinuation of support, as well as any future software or security updates. Operating such software poses a significant risk since there are no available patches, leaving the organization susceptible to cyberattacks.
CISA clarified that there is currently no evidence of any malware being planted or any other malicious activities beyond the hackers probing the hacked agency’s network. While the agency suspects that the intrusion was merely a reconnaissance effort to map the broader network, it is unable to confirm whether any data was exfiltrated from the network.
In the advisory, CISA did not disclose any information regarding the identity of the hackers responsible for the attacks. It also stated that it could not determine whether the two cyberattacks were carried out by the same threat actors.
In both instances, Microsoft Defender for Endpoint, the native antivirus software in Windows, detected and alerted the agency to the potential exploitation of the Adobe ColdFusion vulnerability. It quarantined the hackers’ activities, preventing further compromise of the agency’s systems.
Earlier this year, CISA issued an order instructing all federal agencies to patch a specific vulnerability (CVE-2023-26360) in Adobe ColdFusion that was exploited in these attacks. This proactive measure aimed to mitigate the risk of similar incidents in the future.