The US cybersecurity agency CISA has warned that unidentified hackers broke into a federal government agency’s servers by taking advantage of a previously known vulnerability in software that no longer receives updates – meaning the agency could not have patched it even if it wanted to.
Tuesday, CISA issued an advisory Details of two separate cyberattacks on an unnamed federal government agency. Hackers attacked the agency in June and July by targeting public servers that were running outdated or expired Adobe ColdFusion software, which is used to build web applications.
End of life for software means that the developer has publicly announced that it will no longer be supported or receive further software or security updates. Running out-of-date software is risky because it cannot be patched, exposing the organization running the software to cyberattacks.
call us
Do you have more information about these attacks? Or other attacks targeting government agencies? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram, Keybase and Wire @lorenzofb, or by email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
CISA said there was no evidence that the attackers planted malware or did anything more than search the agency’s compromised network.
“The analysis suggests that the malicious activity by the threat actors was a reconnaissance effort to map the broader network,” but CISA acknowledged that it could not confirm whether the data was leaked from the agency’s network.
CISA did not respond to a request for comment, when asked by TechCrunch for more information about who the agency believes are the hackers responsible for targeting the agency. In the advisory, CISA said it did not know whether the two cyberattacks were carried out by the same hackers.
In both cyberattacks, Microsoft Defender for Endpoint, the native antivirus software for Windows, alerted the agency to the potential exploitation of the Adobe ColdFusion vulnerability and “quarantined” the hackers’ activities.
In March, CISA ordered all federal agencies to patch a known vulnerability in Adobe ColdFusion that was exploited in these attacks. CVE-2023-26360.