I told you so.

That’s probably the worst thing someone can say to you. Especially when it comes to security.

Many times over, I have preached the importance of staying up to date with the latest security patches and upgrades. This is for one big reason. The bad guys are always one step ahead.

As much as we hate to admit it, it’s true. If they weren’t, every hacker, criminal, or just “generally bad dude” would be out of a job. Yet, we are constantly having to protect ourselves from them. That’s because they stay one step ahead.

But by keeping your ColdFusion modern, and up to date, we drastically minimize our security risks. Because let’s face it, no system is ever 100% secure.

At this exact moment, there is a wave of ongoing security vulnerabilities being exploited. You see, a group of hackers has reverse engineered a Security update patch in order to wreak havoc on unpatched users. The APT (Advanced Persistent Threat) group is targeting unpatched users and are installing the China Chopper Trojan allowing for a backdoor into users systems for a total access takeover.

All systems not patched with the September 11, 2018 security update are at risk!

What is the China Chopper?

The China Chopper belongs to a group of threats known as web shells. These web shells are scripts that can be uploaded to allow for remote access of a system. Once uploaded, they can be used to administer permissions and execute commands.

The China Chopper variant was first discovered in 2012. Since then, it has been used the world over to access vulnerable servers. These servers specifically include those written in:

• JSP
• ASP
• ASPX
• PHP
• And that’s right… CFML

The China Chopper is not just limited to Windows either. It has been found running on Linux-based systems as well.

There are many ways that this trojan can access your files. Barring a direct server upload, the following ways are normally prevented via updated security:

• XSS (Cross Site Scripting)
• SQL Injection
• Exposed Admin Interfaces
• RFI (Remote File Include) Vulnerabilities
• LFI (Local File Include) Vulnerabilities
• File Processing Vulnerabilities
• Vulnerabilities in Apps and Services

The last on the list appears to be the root cause of this current security breach.

Effects of the China Chopper

According to US-CERT (United States Computer Emergency Readiness Team), there are four main reasons attackers would infect your system with the China Chopper.

1. To harvest and exfiltrate sensitive data and credentials;
2. To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
3. To use as a relay point to issue commands to hosts inside the network without direct Internet access;
4. To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.

In short, if your system is infected with the China Chopper (or any other web shell for that matter)… you’re gonna have a bad time.

So, how are you going to stop this from happening?

Preventing the China Chopper Attack on your Systems

It may seem like I’ve overstated this point but… employing regular updates as they are released is the number one way to prevent this issue. The best way to ensure that you are doing this is to take advantage of the automatic update system Adobe has in place. This way you are sure never to miss an update, and you stay your most secure with maximum protection.

Some of you may say… Oh, those updates are so annoying. They just eat up my server’s time… Well so does having to regain control of them after being infiltrated by an easily preventable cause. But sheesh! Aren’t those security updates annoying?

I hope you can detect the sarcasm.

Besides that though, there are a number of best practices you can take to help further secure your systems.

• Create and implement a least-privileges policy for your servers.
  • This reduces the capability of those with malicious intent and limits file and execution capabilities of certain directories.
• Create a Demilitarized Zone (DMZ) between your web apps and your servers.
  • By limiting traffic and logging interactions, you can identify potential threats much easier.
• Verify you have established a secure config of all of your web servers.
  • Triple check your permissions and block or disable all unnecessary ports and plugins.
• Perform regularly scheduled security scans and follow proper lockdown procedures.
  • This will help you to identify problem areas that you can further secure before anything terrible happens. This best practice is made much easier through the use of CF 2018’s Auto Lockdown feature.

These are just a few best practices you can utilize to help further protect your systems and servers.

For more on best practices, check out our podcast with Nolan Erck, “047 Best Practices Are Best, Except When They’re Not”

Converting Legacy Code to Modern, Vibrant CFML

Along with updating your security, updating your code is just as important. There may be many reasons why you are still working with outdated CFML.

CFML is dying… Why should I waste my time with it?

False. CFML is more alive than ever! Adobe released its latest version CF 2018 this year. And after speaking with Tridib Roy Chowdhury, numbers have never been better for Adobe. For all you Lucee users out there, great news for you! Swansea Jack aka Lucee 6 was just announced at this year’s CFCamp in Munich! Plus with all the young, fresh faces representing the CF community… it looks like CFML is here to stay. So your “CFML is dying” excuse… yeah right.

It’s so hard to convert legacy code to modern code. Better to use my old code until obsolete.

False. Yeah, just like it’s still better to use those @aol.com accounts and stay on Windows 95. You may laugh, but there are still some out there doing this. It’s becoming easier and easier by the day to convert your legacy code.

In another podcast with Nolan Erck–059 Migrating legacy CFML to MVC (Model View Controller),

he discusses just how easy it is to migrate to MVC. Brad Wood just gave a presentation on Day 2 of the CFCamp on migrating CFML to MVC via the heavy hitting, yet simple to use ColdBox MVC Module.

Related: “Easily Moving from Legacy Code Hell to Modern CFML Heaven”

There are plenty of resources available to help you make a change for the better. So… not gonna buy that excuse either.

The old system and code are working just fine… I don’t need any stinking upgrade.

False. I mean burying your excrement in the backyard worked fine too… But thank goodness for flush toilets! There are so many benefits to upgrading your legacy code. Here are just a few:

• Easier Maintenance
• Faster Deployments
• Fewer Bugs
• More Modern and Responsive Front End

But hey, if you like spending long hours and resources on unnecessary bug repairs… be my guest.

In a nutshell, I can’t tell you how to live your life. But I can give you suggestions on how to make it better… for your CFML experiences particularly. This attack was completely avoidable, and yet still any users were affected. Heck, newly infected systems grow in number each day. This does not say anything about the state of security for ColdFusion and CFML though. By keeping up-to-date with your security protocols and enlisting the help of third-party tools, you can keep your servers just as secure as any other.

Related:  Podcast with Pete Freitag–020 Secrets of High-Security ColdFusion Code.

Join the CF Alive revolution

Discover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.

• Get early access to the CF Alive book and videos
• Be part of a new movement for improving CF's perception in the world.
• Contribute to the CF Alive revolution
• Connect with other CF developers and managers
• There is no cost to membership.