Attacks in the wild leverage flaw in ThinkPHP Framework

Haythem Elmir

Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware.

Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework.

The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at 
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.

Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.

“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.” reads the analysis published by the expert.

“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘getshell‘ vulnerabilities without the forced routing enabled.”

Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.

Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes. 
Cashdollar said that in one case, threat actors exploited the flaw to deliver a varian of the Mirai bot.

“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware. ” continues the post.

The analysis of sample from the last 7 days revealed that the majority of IP addresses are from the Asia Pacific region where the ThinkPHP framework is most popular.

ThinkPHP flaw

Cashdollar confirmed that threat actors are actively scanning systems across the world.

To secure your system update the framework to the current version.


Laisser un commentaire

Next Post

Collection #1 dump, 773 million emails, 21 million passwords

The popular cyber security expert Troy Hunt has uncovered a massive data leak he called ‘Collection #1’ that included 773 million records. The name ‘Collection #1’ comes from the name of the root folder. Someone has collected a huge trove of data through credential stuffing, the ‘Collection #1’ archive is a […]