Christmas Attack Campaign Targets ColdFusion with 2.5M Requests

Security researchers at GreyNoise detected a massive scanning and exploitation campaign over the Christmas holiday, with threat actors generating 2.5 million malicious requests targeting 767 distinct CVEs across 47 technology stacks. Adobe ColdFusion servers took the initial brunt of the attack, with 68% of activity occurring on Christmas Day itself.

The campaign appears designed to identify vulnerable infrastructure for later exploitation—a hallmark of initial access broker operations where attackers sell footholds to ransomware gangs and other threat actors.

Attack Infrastructure

GreyNoise identified two IP addresses responsible for nearly all observed activity:

IP Address	Requests	Percentage
134.122.136.119	3,188	53.7%
134.122.136.96	2,683	45.2%

Both addresses belong to CTG Server Limited (AS152194), a Hong Kong-registered hosting provider operating approximately 201,000 IPv4 addresses across 672 network prefixes. Despite being only about one year old, CTG Server has already developed a reputation for hosting malicious activity, with prior links to phishing campaigns, spam operations, and weak abuse enforcement.

The two IPs operated concurrently 41% of the time, shared callback domains, and displayed automated behavior patterns consistent with coordinated infrastructure rather than independent actors.

ColdFusion Exploitation Details

The campaign specifically targeted Adobe ColdFusion servers with 5,940 malicious requests hitting 20 countries. The United States received 68% of ColdFusion-specific traffic, accounting for 4,044 sessions.

Attackers exploited more than 10 known ColdFusion vulnerabilities from 2023-2024:

CVE	Type	Request Count
CVE-2023-26359	Deserialization RCE	833
CVE-2023-38205	Access Control Bypass	654
CVE-2023-44353	Remote Code Execution	611

The primary attack vector was WDDX deserialization triggering JNDI lookups via the JdbcRowSetImpl gadget chain—accounting for 80% of observed payloads. This technique allows attackers to achieve remote code execution on vulnerable servers by exploiting Java's naming and directory interface.

How Callback Verification Works

The attackers used ProjectDiscovery's Interactsh platform for out-of-band verification. When an exploit succeeds, the target server makes an outbound connection to an attacker-controlled callback domain. This confirms the vulnerability exists without requiring the attacker to maintain persistent access during the scanning phase.

GreyNoise observed 190 unique Interactsh OAST domains across the campaign, including:

• oast.pro (42 callbacks)
• oast.site (38 callbacks)
• oast.me (34 callbacks)

This technique lets attackers confirm which targets are exploitable, build target lists, and return later—or sell that access to downstream threat actors.

Scale Beyond ColdFusion

Further analysis revealed ColdFusion was just one slice of a much larger operation. The same infrastructure generated 2.5 million requests targeting 767 different CVEs across 47 technology stacks using approximately 10,000 unique callback domains.

This systematic approach suggests the operators are building comprehensive vulnerability inventories across the internet. Organizations with unpatched vulnerabilities may have already been catalogued without knowing it.

The activity profile matches initial access broker operations—threat actors who specialize in gaining footholds and then selling that access to ransomware operators, corporate espionage groups, or other attackers. It's cheaper and faster for ransomware gangs to buy access than to conduct their own reconnaissance.

Why Christmas Day

The timing was deliberate. Security operations centers run skeleton crews during holidays. Monitoring alerts may go unnoticed until staff return. Detection signatures are less likely to be updated. And decision-makers needed to authorize blocking actions or incident response may be unreachable.

Sixty-eight percent of the ColdFusion attack traffic occurred on December 25. The attackers knew exactly what they were doing.

Recommended Actions

Organizations running Adobe ColdFusion or any Java-based web applications should take immediate steps:

1. Block identified infrastructure - Add 134.122.136.119 and 134.122.136.96 to firewall blocklists. Consider blocking AS152194 entirely.

2. Patch ColdFusion installations - Ensure all 2023-2024 security updates are applied. Focus on CVE-2023-26359, CVE-2023-38205, and CVE-2023-44353.

3. Review outbound connection logs - Look for connections to Interactsh domains (*.oast.pro, *.oast.site, *.oast.me) which may indicate successful exploitation.

4. Enable JNDI restrictions - Java applications should disable or restrict JNDI lookups to prevent exploitation of deserialization vulnerabilities.

The infrastructure behind this campaign remains active. If your organization runs ColdFusion servers exposed to the internet, assume you've been scanned. The question is whether you were vulnerable when it happened.