Akamai researchers observed a Chinese threat actor exploiting two old remote code execution vulnerabilities, tracked as CVE-2018-20062 and CVE-2019-9082, in ThinkPHP.
The campaign seems to have been active since at least October 2023, it initially targeted a limited number of customers/organizations but recently became widespread.
The attacks originated from various IP addresses associated with servers hosted on the “Zenlayer” cloud provider (ASN 21859) which is primarily located in Hong Kong.
“Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082.” reads the analysis published by Akamai.
In attacks detected on October 17, 2023, threat actors exploited vulnerabilities by instructing victim servers to install an obfuscated shell from a remote server under the attacker’s control, rather than using common “proof of concept” commands. This initial campaign was short-lived, but a similar and much larger campaign has been observed as of April 2024.
The CVE-2018-20062 and CVE-2019-9082 vulnerabilities in the Chinese ThinkPHP framework impact content management systems like NoneCMS and open-source BMS. These vulnerabilities allow attackers to remotely execute code on the victim’s server. They are part of a series of exploit variants targeting different ThinkPHP components, disclosed over several years starting from 2018.
The attacks detected by Akamai exploit the flaws to download a file named “public.txt” from a compromised server in China. This file is saved on victims’ systems as “roeter.php,” likely a misspelling of “router.” The downloaded file contains an obfuscated web shell, a server-side backdoor script for remote control. The web shell code is obfuscated using a basic ROT13 transformation, resulting in a long HEX string. The attackers used a simple password, “admin,” to access the web shell.
“The web shell demonstrates advanced capabilities, such as navigating the file system, which enables operations like file editing, deletion, and timestamp modification for obfuscation purposes.” continues the analysis. “The webshell user interface, also known as Dama, is in Traditional Chinese. In addition to the aforementioned advanced mechanisms, Dama facilitates file uploads to the server and gathers crucial technical system data, including precise OS versions and PHP information, which aids in the identification of pertinent privilege escalation exploits.
The experts pointed out that the Dama web shell stands out because of the Chinese origin of the user interface.
Post-exploitation features include network port scanning and access to existing databases and server data. The web shell also allows privilege escalation by bypassing disabled sensitive PHP functions to execute shell commands on the server. The web shell also uses the Windows task scheduler to reconfigure WMI and add high-privileged users. The Akamai researchers observed that despite its extensive functionality, the web shell lacks support for a command-line interface (CLI) for executing direct OS shell commands.
“This web shell is yet another example of a one-day — despite how long they’ve been known, attackers continue to target and exploit them, with notable success. This underscores the persistent challenge organizations face in identifying vulnerable assets and maintaining effective patch management processes.” concludes the report. “The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control. Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThinkPHP)