ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062)
A remote code execution bug in the Chinese open source framework ThinkPHP is being actively used by threat actors to implant a variety of malware, primarily targeting Internet of Things (IoT) devices.
Hintergrund
Over the last few months, attackers have been leveraging CVE-2018-20062, a remote code execution (RCE) vulnerability in Chinese open source PHP framework ThinkPHP, to implant a variety of malware. While the vulnerability was patched on December 9, 2018, a proof of concept (PoC) was published to ExploitDB on December 11.
Analyse
Shortly after the publication of the PoC, researchers observed an uptick in attackers scanning for vulnerable versions of ThinkPHP. On December 20, Trend Micro published a blog about a new IoT botnet called Miori that spreads using CVE-2018-20062. According to Trend Micro researchers, additional IoT malware known as IZ1H9 and APEP began to utilize the same vulnerability as an infection vector.
In January 2019, the Akamai security team not only observed this vulnerability being used in attacks to implant IoT malware, but also discovered it being used to spread cryptocurrency miners and Windows malware. Trend Micro posted another blog on January 25, detailing the usage of this vulnerability by IoT malware known as Hakai and Yowai.
On February 4, researchers at Check Point named ThinkPHP as the initial infection vector in attacks targeting systems to implant a backdoor trojan known as SpeakUp.
Despite being patched in December 2018, CVE-2018-20062 has become a popular vulnerability for attackers looking to implant IoT malware onto systems. The vulnerability has also been observed in the propagation of other types of malware like cryptocurrency miners and trojans. We expect this to remain a popular exploit with attackers as long as systems remain unpatched.
Lösung
This vulnerability was patched in ThinkPHP versions 5.0.23 and 5.1.31. Users are strongly encouraged to upgrade to a newer version of the framework.
Identifizieren betroffener Systeme
A list of Nessus plugins to identify these vulnerabilities can be found here.
Weitere Informationen
- National Vulnerability Database: CVE-2018-20062
- PoC: ThinkPHP 5.x < v5.0.23,v5.1.31 Remote Code Execution
- With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
- ThinkPHP Exploit Actively Exploited In The Wild
- ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai
- SpeakUp: A New Undetected Backdoor Linux Trojan
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
May 10, 2024Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
- Vulnerability Management