Servers are always a point of interest for threat actors as they are one of the most efficient attack vectors to penetrate an organization. Server-related accounts often have the highest privilege levels, making lateral movement to other machines in the network easily achievable. Sophos X-Ops has observed a wide variety of threats being delivered to servers, with the most common payloads being Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells.
In September and early October, we saw several efforts by a previously unknown actor to leverage vulnerabilities in obsolete, unsupported versions of Adobe’s ColdFusion Server software to gain access to the Windows servers they ran on and pivot to deploying ransomware. None of these attacks were successful, but they provided telemetry that allowed us to associate them with a single actor or group of actors, and to retrieve the payloads they attempted to deploy.