The US cybersecurity agency CISA warned that unknown hackers broke into the servers of a federal government agency by exploiting a previously known vulnerability in software that no longer receives updates, meaning the agency could not have patched it even if it had wanted to.
On Tuesday, CISA published a notice detailing two separate cyberattacks on an unnamed federal government agency. Hackers attacked the agency in June and July by targeting public servers running outdated or end-of-life Adobe ColdFusion software used to create web applications.
End of life software means that the developer has publicly announced that it will no longer be supported or receive any further software or security updates. Running end-of-life software is, by definition, risky because it cannot be patched, exposing the organization running the software to cyber attacks.
Contact Us
Do you have more information about these attacks? Or other attacks targeting government agencies? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email [email protected]. You can also contact TechCrunch via SecureDrop.
CISA said there is no evidence that the attackers planted malware or did anything more than look around the hacked agency's network.
“The analysis suggests that the malicious activity carried out by the threat actors was a reconnaissance effort to map the broader network,” but CISA admitted it could not confirm whether the data was extracted from the agency's network.
CISA did not respond to a request for comment when asked by TechCrunch for more information about who the agency believes are the hackers responsible for attacking the agency. In the advisory, CISA said it did not know whether the two cyberattacks were carried out by the same hackers.
In both cyberattacks, Microsoft Defender for Endpoint, the native Windows antivirus software, alerted the agency to the potential exploitation of the Adobe ColdFusion vulnerability and “quarantined” the hackers' activities.
In March, CISA ordered all federal agencies to patch one of the known vulnerabilities in Adobe ColdFusion that were exploited in these attacks. CVE-2023-26360.
