Executive Summary
Security researchers from TeamT5 have released their latest findings detailing CVE-2023-29300, a JAVA deserialization vulnerability resulting in arbitrary code execution. At least 66 devices in Japan have already been compromised via CVE-2023-29300, affecting various sectors such as healthcare, education, and manufacturing. Threat actors, including cyber-criminals and state-sponsored groups such as China-nexus APT group SLIME13 (known as Flax Typhoon) , are actively exploiting CVE-2023-29300 to deploy webshells, including Behinder, leading to unauthorized access and persistence.
Community Threat Assessment
Due to the available public reporting of this CVE-2023-29300 and released Indicators of Compromise (IOCs), listed below, and public scanning tool, the RH-ISAC Intelligence Team assesses with high confidence that this campaign presents a low threat for organizations in the retail and hospitality sector who have implemented mitigations. RH-ISAC recommends Core Members review the intelligence included in this report and the linked TeamT5 report, which contains additional detail and appendices regarding CVE-2023-29300.
Members are also advised to review the IOCs provided below and ingest them into security systems promptly where applicable.
Context
Adobe ColdFusion is a commercial rapid web-application development computing platform. Unauthorized threat actors can exploit CVE-2023-29300 and deploy webshells to target’s devices and establish persistence. Threat actors must first abuse the unauthenticated ColdFusion Component (CFC) endpoint to exploit CVE-2023-29300. Public proof of concepts has exposed a ColdFusion Component endpoint that has also been exploited in the wild.
Primarily, CVE-2023-29300 is a deserialization vulnerability that originated from the Web Distributed Data eXchange (WDDX) library. Once exploited, the vulnerability will allow the threat actors to load the payload via JNDI injection, connecting to the C2 and execute arbitrary codes.
The threat actors can deploy webshell to ColdFusion after successfully exploiting CVE-2023-29300. With such webshell exists, the threat actors can still access ColdFusion Component even after patching the vulnerability. TeamT5 analysis found that more than 1% of the ColdFusion Components in Japan have been compromised.
Mitigations and Indicators of Compromise
Adobe has released official patches for CVE-2023-29300, which members are encouraged to install and monitor accordingly. RH-ISAC Members can also leverage an available open-source nuclei-based vulnerability scanner to detect if CVE-2023-29300 exists within their ColdFusion Component.
The following IOCs, provided below by TeamT5, are provided for community awareness and ingestion:
- cb493680d1a8ee7a70a2d339ece0b190db02fba4ba6af3b2c26a6b4841902d52
- d6910571564cc4c61b1277334701c612fd3a25b96b63b267d64fcf48a5998254
- 113[.]141.91.61
