The US cybersecurity agency CISA has warned that unknown hackers broke into the servers of a federal government agency by exploiting a previously known vulnerability in software that no longer receives updates – meaning the agency could not fix it even if it wanted to.
On Tuesday, CISA has issued an advisory detailing two separate cyber attacks on an unnamed federal government agency. Hackers attacked the service in June and July by targeting publicly accessible servers running outdated or outdated Adobe ColdFusion software, which is used to build web applications.
End-of-life software means that the developer has publicly announced that it will no longer be supported or receive further software or security updates. Running software at end-of-life is by definition risky because it cannot be fixed, exposing the organization running the software to cyber-attacks.
Contact us
Do you have more information about these attacks? Or other attacks targeting government agencies? We would love to hear from you. Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
CISA said there was no evidence the attackers planted malware or did more than look around the breached agency’s network.
“The analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the wider network,” but CISA admitted it could not confirm whether data from the agency’s network had been infiltrated.
CISA spokesman Antonio Soliz declined to comment when asked by TechCrunch for more information about who the agency believes are the hackers responsible for targeting the agency.
In the advisory, CISA said it did not know whether the two cyberattacks were carried out by the same hackers.
In both cyberattacks, Microsoft Defender for Endpoint, Windows’ native antivirus software, alerted the service to a possible exploit of the Adobe ColdFusion vulnerability and “quarantined” the hackers’ activities.
In March, CISA ordered all federal agencies to patch one of the known vulnerabilities in Adobe ColdFusion used in these attacks. CVE-2023-26360.
UPDATE, Dec. 6, 4:31 p.m. ET: This story was updated to include no comment from the CISA spokesperson.
