Threat Actors Rapidly Adopt New ThinkPHP RCE Exploit to Spread IoT Malware and Deploy Remote Shells
- by nlqip
Key Points
- Only a few days after the ThinkPHP vulnerability was discovered, it is already being exploited on the Internet.
- Almost 46,000 servers, most of which are located in China, are potential targets for this exploit.
- Multiple campaigns have been launched simultaneously by different threat actors, which might suggest the infection potential.
- Campaigns vary from reconnaissance and uploading of back doors to deploying a variant of the Mirai IoT malware.
F5 researchers have observed multiple new campaigns leveraging a very recent exploit against ThinkPHP, a popular PHP framework in China. Within days of its discovery, the vulnerability had already been exploited in the wild by multiple threat actors. With this vulnerability, we see a pattern similar to those we have seen in other RCE vulnerabilities, such as Apache Struts 2 – CVE-2017-5638 mentioned last year, where attackers rushed to capitalize on the time it takes organizations to patch and profit from it. New ThinkPHP vulnerability campaigns with a variety of purposes are being launched every couple of days. In our experience, although rapidly deployed, these campaigns can last for more than a year.
Remote Code Execution Vulnerability
On December 9, ThinkPHP released a security update stating that a recent vulnerability had been patched. According to ThinkPHP (translated from Chinese), “Because the framework does not detect the controller name enough, it may lead to possible ‘getshell’ vulnerabilities without the forced routing enabled.” After looking into the vulnerable code, it is clear that this vulnerability stems from a non-validated input, which allows an attacker to trigger an app.invokefunction function to actually run any desired functions on the affected system. This vulnerability affects versions 5.0 and 5.1 and was fixed in versions 5.0.23 and 5.1.31.
Source link
lol
Key Points Only a few days after the ThinkPHP vulnerability was discovered, it is already being exploited on the Internet. Almost 46,000 servers, most of which are located in China, are potential targets for this exploit. Multiple campaigns have been launched simultaneously by different threat actors, which might suggest the infection potential. Campaigns vary from…
Recent Posts
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs