By exploiting a patched remote authentication bypass vulnerability in Adobe’s ColdFusion, attackers are installing data stealing malware in Microsoft’s Internet Information Services (IIS) Web server software.
IIS (Internet Information Server) Web servers are suffering infection with malicious modules designed to steal information submitted by users, said researchers at security firm Trustwave.
The modules are rogue DLL (dynamic link library) files installed by a malware program Trustwave researchers called ISN that infects 32-bit and 64-bit versions of IIS6 and IIS7+.
The catch is the whole issue could end up averted if users installed the patch Adobe issued last January. The vulnerability, identified as CVE-2013-0629, came out back in January, a few weeks after the company warned customers the vulnerability was under attack.
In this case, the attackers are exploiting the vulnerability by installing a backdoor application called a Web shell that allows them to execute shell commands on the underlying operating system.
In the attack, ISN detects the IIS version and installs the corresponding DLL module, which then monitors POST requests — data submissions — to specific URLs and saves the information to a log file.
This method allows the data to end up collected even if the connection between the user and the server has SSL (Secure Sockets Layer) protection. The captured data can be personal and payment details entered on an e-commerce site running on a compromised IIS server. The rogue DLLs also enables attackers to send certain commands through URL parameters in order to download the stored information.
The Trustwave researchers traced a ColdFusion compromise that led to the installation of ISN back to the end of February, over a month after Adobe issued its patch.
The incident outlines a problem organizations have when it comes adjusting their patching schedules to keep up with today’s attackers who are targeting newly disclosed vulnerabilities much faster than in previous years.
It also shows ColdFusion represents an interesting target for attackers. Adobe warned customers two times this year about ColdFusion vulnerabilities that had no patches and were already facing attacks.