Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites
Posted on 18 March 2014.
A German website of French automaker CitroŽn is the latest of the wide array of higher-profile webshop sites that have been compromised by a hacker gang leveraging Adobe ColdFusion vulnerabilities.

According to The Guardian, the website in question - - is a site for buying CitroŽn-themed gifts, and was run by third-party web design company anyMotion.

The hackers have managed to compromise it and install a backdoor that would give them continuous access to the server on which it was hosted, and the user information it contained.

anyMotion has apparently closed the backdoor and is working on establishing whether the server has been otherwise compromised. It is still unknown what data has been stolen, but CitroŽn has been urging its German customers to check their bank balances for suspicious transactions, which seems to indicate that payment card data was probably snatched.

The company also reset user and site admin passwords, so it's likely that information was also compromised.

"This report makes two very important points to running a business on the Internet," commented Lancope CTO Tim Keanini. "The first is that staying up to date on currently exploited vulnerabilities may be just enough margin of time to remediate before your next in line. If you know on Monday that version 123 of application ABC is being exploited, and by Tuesday you have upgraded or mitigated the vulnerability, you pull yourself out of the target space. You can rest assure that these guys are hunting down more victims on the Internet that match this victimís criteria. It is not over yet.

"The second is the fact that 'security is everyoneís responsibility'. Just because you outsource some function of the company does not make security their problem and no longer your problem. In fact, you should go through the entire list of partners you have and ask yourself, if any of these business functions were exploited, what would that do to the continuity of my business. Now is the time to surface these dependencies, not after they are breached," he concluded.

According to Brian Krebs, previous targets of this same gang include jam and jelly maker Smuckerís and credit card processing firm Securepay, a string of US data brokers, PR Newswire, Adobe and, lastly, CitroŽn, two US companies selling lighting products in their online stores, and LaCie, a Seagate-owned hardware company.

"The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores," he noted.

The two companies in question are and, both of whom ultimately decided to outsource the credit card processing to a third party in order to prevent being responsible for payment card data compromises in the future.

As it happens, has even hired a security compliance firm to test the site and servers for security cracks just before the breach was executed, and the firm missed the ColdFusion flaws misused by the attackers.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th