As we can see in Figure 8, the developers for SG Optimizer added a permission_callback command to the newly registered REST API routes. This indicates that prior to version 5.0.13, the SG Optimizer plugin had various privilege escalation vulnerabilities. Those vulnerabilities allowed any threat actor to send a malicious request to these registered REST API endpoints. In the recent campaign, the threat actor sent a malicious request to downgrade the PHP version for the WordPress installation to a PHP version with known vulnerabilities.

ThinkPHP Remote Code Execution (CVE-2018-10225)

It’s been almost four months since this vulnerability was first published, and while threat actors are still looking to exploit vulnerable ThinkPHP servers, we have seen the number of exploits steadily decline. According to Shodan, more than 46,000 web servers are running ThinkPHP, most of them located in China.

This month, we detected two new campaigns targeting this vulnerability. In one of the campaigns, the threat actor instructed the server to download and execute a malicious file. The size of the file, however, was only 0 bytes. This leads us to assume that the threat actor was probably attempting command reconnaissance.