In December 2018, we witnessed active exploits of a ThinkPHP vulnerability. After the discoverers of this flaw posted its PoC, the vulnerability became known within 24 hours. Thus it triggered a barrage of attacks on more than 45,000 websites. While the developers released a patch for this bug, it was still being actively exploits in the wild before the patch was applied.
ThinkPHP Vulnerability Still Actively Exploited
Last month, the developers fixed a flaw in the ThinkPHP framework that threatened more than 45,000 websites. However, despite being fixed, the researcher, Larry Cashdollar, has still spotted it being actively exploited.
As stated in his blog, he was investigating Magecart card skimming attacks when he noticed something else. Scratching the surface revealed to him that there were multiple active exploits of ThinkPHP vulnerability.
“There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware.”
Precisely, he found multiple payload variations attempting to achieve different malicious goals. This includes crypto mining, web shell backdoor, and other malware attacks. The target machines include Windows, Linux and IoT devices. He further explained about the payloads outlined in his report:
“…it appears the Linux infections build a botnet with lot of similarities to Mirai. Windows infections appear to be involved in Crypto Mining activities, trojans, and additional features such as windows password cracking capabilities.”
According to his findings, most active exploits are happening in Asia-Pacific – the region from where the ThinkPHP framework originated. However, the attacks do not specifically limit to this area. Rather the attackers are also targeting other locations, including Europe. Precisely, the attackers seem busy in finding as many vulnerable devices as they can for mining Bitcoin and Monero.
“The majority of the attacking IPs are compromised web servers, routers and, IoT devices.”
About The ThinkPHP Web Framework Vulnerability
ThinkPHP flaw made it to the news when multiple reports of active exploits of the flaw surfaced online. As revealed last month, a threat group with alias “D3cemb3r” attacked more than 45,000 Chinese websites to spread Miori IoT malware.
The vulnerability primarily exists in the ThinkPHP framework – a web framework developed in China. This remote execution flaw (CVE-2018-20062) enables a potential attacker to execute arbitrary codes. As described by FortiGuard Labs,
“The vulnerability is a result of the application’s failure to properly sanitize user request. As a result, a remote attacker can send a crafted HTTP request to execute arbitrary code on a vulnerable server.”
The flaw targeted the ThinkPHP versions 5.0 and 5.1. The developers then patched the flaw in the recent versions.
However, even after the patch, Cashdollar discovered the continued exploitation of the flaw. Regarding possible remediation, DarkReading stated that he recommends immediate software upgrade to the current patched version of ThinkPHP framework.