ThinkPHP Vulnerabilities Under Active Exploit: Researchers Warn
Akamai researchers have identified a concerning resurgence of attacks targeting known vulnerabilities in the ThinkPHP web application framework. These vulnerabilities, CVE-2018-20062 and CVE-2019-9082, continue to be exploited despite being several years old, demonstrating a concerning trend of attackers leveraging known flaws to gain unauthorized access to vulnerable systems.
Attack Methodology
Akamai first detected signs of this attack on October 17, 2023, when a limited series of probes exploited these vulnerabilities. Unlike typical “proof of concept” commands, the payload instructed victim servers to install an obfuscated shell from a remote server controlled by the attackers. This initial campaign was brief, but by April 2024, a similar, much larger campaign was observed.
The observed exploitation attempts, recorded by Akamai’s App & API Protector, involved downloading a file named “public.txt” from a compromised server in China. This file was saved on victim systems as “roeter.php,” believed to be a misspelling of “router.” The downloaded file contained an obfuscated web shell, a server-side backdoor script for remote control. The attackers used a simple ROT13 transformation to obfuscate the code, which was then accessed using the password “admin.”
The web shell, known as Dama, demonstrates advanced capabilities such as file system navigation, file editing, deletion, and timestamp modification. Unlike common web shells used by Western and Eastern European threat actors, which typically use English, Dama’s user interface is in Chinese, reflecting its origin.
Dama facilitates file uploads, gathers critical system data, and identifies potential privilege escalation exploits. Its post-exploitation features include network port scanning, access to databases, and various methods for privilege escalation, such as bypassing disabled PHP functions and reconfiguring Windows task scheduler to add high-privileged users. Surprisingly, despite its extensive functionality, Dama lacks a command-line interface (CLI) for executing direct OS shell commands.
Mitigation and Protection
To protect against these attacks, organizations using ThinkPHP are strongly advised to upgrade to the latest version, currently 8.0. Additionally, implementing web application firewalls (WAF) and conducting regular vulnerability scans can help detect and mitigate potential threats.
