Question, what do Bing.com and Authorize.net have in common? Who would have guessed that they both have servers located in a data center that has had a fire? Or that they may have to put more into the planning portion of Disaster Recovery and Business Continuity? Authorize.net has been completely down for several hours now. Bing.com/travel had this to say: "A fire occurred at Fisher Plaza in downtown Seattle just after midnight on Friday morning. The blown transformer knocked out power to the entire building, which is home to the Bing Travel servers. We're hard at work to restore service following this unexpected event. Our current estimate for re-establishing Bing Travel functionality is 5pm PST, July 3rd." Perhaps they should have read one of our SANS papers on BCP/DRP planning.  Reading room link is here. More information is available at this twitter http://twitter.com/authorizenet where Authorize.net are tweeting. The media are also following the story, KOMO a local station was knocked offline but are broadcasting from a backup site. 

 Update: Authorize.net appear to be at least partially back up and running.

Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, Independence day, or Fireworks as key words. Websense is reporting that Waledac will be using the above subjects in emails with links to sites that appear to be a video, but instead downloads malware. Their alert is here. More information is also available at the ESET blog here.

"FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability." The advisory is here. CVE-2009-2265 has been assigned to the vulnerability. The patch and a new version of the editor will be available next week (06 July). Keep a close eye on any system with this package installed on it, it is recommended to follow mitigation steps in the advisory in the meantime. A number of compromises have been reported as a result of the exploit being used prior to now. Thanks Andrea.

The credit card payment gateway authorize.net is currently down. A fire at their data center is apparently the cause.  Thanks to Joey, Tommy, and Jonathan for writing in.

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.

UPDATE

We received some additional information about this whole case with ColdFusion. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.

First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations -- if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed.

--
Bojan