Attacks Targeting Recent PHP Framework Vulnerability Found

New attacks that target a recent PHP framework vulnerability have been detected.

It was last month that a code vulnerability was detected in the ThinkPHP framework; ThinkPHP is a rapid-development framework that is developed by TopThink, a Chinese firm. The vulnerability- CVE-2018-20062- was soon patched, but then a researcher detected new attacks targeting the vulnerability.

Vulnerability researcher Larry Cashdollar has found that multiple threat actors are exploiting this ThinkPHP vulnerability to launch cryptominers, skimmers and other malware payloads.

Dark Reading reports, “Larry Cashdollar, a vulnerability researcher and member of Akamai’s Security Incident Response Team, was doing research on a recent Magecart attack targeting extensions to the Magento e-commerce platform when he noticed a malware request he hadn’t seen before – a request to ThinkPHP.”

In a blog post that describes these attacks, Cashdollar writes, “While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with. Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink…The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell’ vulnerabilities without the forced routing enabled.” It appears that the code does not properly sanitize user input allowing an unauthenticated user to specify their own filter function to execute. The vulnerability has been assigned CVE-2018-20062.”

He further adds, “There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware…Currently we’re seeing widespread scanning for the ThinkPHP vulnerability. Threat actors are performing one of many simple checks.”

Cashdollar explains that the threat actors are exploiting the vulnerability to install coin miners, skimmers etc, to install different kinds of payload targeting Windows systems, IoT devices etc or to mine Bitcoin/Monero coins. He also points out that the threat actors can, using a single line of code, scan for the presence of the vulnerability and then exploit it for carrying out attacks involving simple cut-and-paste code that is widely available.

While observing the many payloads delivered exploiting the ThinkPHP vulnerability, Larry Cashdollar has seen a Mirai variant, which he thinks is a matter of concern.

The Dark Reading report quotes Cashdollar as saying, “I had been waiting for Mirai botnet kits to include Web app code in their arsenal, and this was an indicator that it’s happening.”

The report further says, “The code being executed through the PHP framework calls can skip a series of steps long considered essential for malware.” Cashdollar is quoted as saying that unlike in the 1990s, threat actors today don’t try to get root access. Instead, they just execute code on a system as a user and spread botnet, share malware or mine cryptocurrency. Their intention now it to execute code on large numbers of systems.

Though it’s in Asia that the attack has largely happened, cybercriminals exploiting the ThinkPHP framework vulnerability are actively scanning systems in other parts of the world as well. There are as many as 600 scans happening per day, with threat actors scanning software companies, car rental firms etc.

Some Web application security firms have reportedly begun writing advisories to their customers regarding this vulnerability. Cashdollar says that companies that are using the ThinkPHP framework should update it to the current version immediately.

Related Blogs

Scan PHP Files for Malicious Code Online