Prioritize patching of internet facing systems or get hacked - a US government primer

During the summer hackers compromised public-facing servers of an unnamed U.S. federal agency through a vulnerability in Adobe ColdFusion, identified as CVE-2023-26360. This bug affected Adobe ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update 5 and earlier, including versions no longer supported by Adobe.

1. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed these breaches through network log analysis. The first breach began on June 2nd, with the attackers gaining access to a server and attempting various activities, including data exfiltration. These attempts were detected and thwarted.
2. The second incident occurred on June 26, involving another server. In this case, the malware used attempted to decrypt ColdFusion data source passwords but was unsuccessful due to the use of a newer ColdFusion version by the agency.

CISA had previously added CVE-2023-26360 to its list of Known Exploited Vulnerabilities in March and mandated federal agencies to patch this flaw by April 5. Despite these warnings, the vulnerabilities remained unpatched for over three months. Adobe had also issued alerts throughout 2023 regarding ColdFusion vulnerabilities.