Attacks in the wild leverage flaw in ThinkPHP Framework

Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware.

Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework.

The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.

Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.

“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.” reads the analysis published by the expert.

“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell‘ vulnerabilities without the forced routing enabled.”

Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.

Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes.
Cashdollar said that in one case, threat actors exploited the flaw to deliver a varian of the Mirai bot.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. ” continues the post.

The analysis of sample from the last 7 days revealed that the majority of IP addresses are from the Asia Pacific region where the ThinkPHP framework is most popular.

Cashdollar confirmed that threat actors are actively scanning systems across the world.

To secure your system update the framework to the current version.

“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency.” concludes the expert.

“We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ThinkPHP)

[adrotate banner=”5″]

[adrotate banner="13"]