Gbhackers
Attackers Exploit WDigest Vulnerability to Harvest Plaintext Credentials
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A multi-stage cyber attack targeted IIS servers, beginning with enumeration commands and escalating to credential extraction using Mimikatz. The attackers uploaded a steganographic webshell and executed a defense-impairment script (i.bat) that disabled logging and security services. Initial forensics indicated exploitation of Adobe ColdFusion vulnerabilities (CVE-2023-26360, CVE-2023-29298, CVE-2023-29300). The attackers employed steganography to conceal the webshell and manipulated Windows credential protections by enabling plaintext storage in memory. They also altered Microsoft Defender settings to disable monitoring, facilitating data exfiltration. The attack's scope included targeting Western and European environments, with the adversary returning to the compromised server after initial remediation efforts. The incident highlights significant risks associated with unpatched vulnerabilities and inadequate logging.
Key Points: • Attackers exploited multiple vulnerabilities in Adobe ColdFusion to gain access. • Steganographic techniques were used to hide a webshell within an image file. • Windows credential protections were downgraded, allowing plaintext credential harvesting.