U.S. cybersecurity agency CISA has warned that unknown hackers broke into the servers of a federal government agency by taking advantage of a previously known vulnerability in software that no longer receives updates — meaning the agency couldn’t have patched it even if it wanted to.
On Tuesday, CISA released an advisory detailing two separate cyberattacks on an unnamed federal government agency. The hackers attacked the agency in June and July by targeting public-facing servers that were running outdated or end-of-life Adobe ColdFusion software, used for building web applications.
End-of-life software means that the developer has announced publicly it will no longer be supported or receive further software or security updates. Running end-of-life software is by definition risky because it cannot be patched, exposing the organization who runs the software to cyberattacks.
Do you have more information about these attacks? Or other attacks targeting government agencies? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email email@example.com. You also can contact TechCrunch via SecureDrop.
CISA said there is no evidence the attackers planted malware or did anything more than looking around in the hacked agency’s network.
“Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network,” but CISA conceded that it could not confirm if data was exfiltrated from the agency’s network.
CISA did not respond to a request for comment, when asked by TechCrunch for more information on who the agency believes are the hackers responsible for targeting the agency. In the advisory, the CISA said it didn’t know if the two cyberattacks were performed by the same hackers.
In both cyberattacks, Microsoft Defender for Endpoint, Windows’ native antivirus software, alerted the agency to the potential exploitation of the Adobe ColdFusion vulnerability and “quarantined” the hackers’ activities.
In March, CISA ordered all federal agencies to patch one of the known vulnerabilities in Adobe ColdFusion that were exploited in these attacks, CVE-2023-26360.