A surge of cyber attacks has brought attention to the persistent issue of vulnerabilities in widely-used software. Researchers from Akamai have recently uncovered a new wave of attacks targeting ThinkPHP, a popular PHP framework. These attacks exploit known vulnerabilities to install remote shells, allowing attackers to gain unauthorized access to affected systems. The resurgence of these attacks highlights ongoing challenges in cybersecurity and the need for robust security measures.
ThinkPHP is a PHP framework designed to simplify web application development by providing extensive libraries and components. It was launched by TopThink in China and has since gained popularity for its ease of use and flexibility. ThinkPHP’s vulnerabilities, such as CVE-2018-20062 and CVE-2019-9082, have been the focus of recent cyber attacks aiming to exploit these weaknesses for malicious purposes.
Earlier reports of ThinkPHP vulnerabilities revealed similar exploitation methods. Researchers noted that attackers frequently targeted unpatched systems, deploying web shells to control compromised servers. While previous attacks also utilized Chinese servers to host malicious files, the recent surge indicates a more coordinated effort. The sophistication of the “Dama” web shell, with capabilities like system information gathering and database access, shows an evolution in the tools used by cyber criminals. Despite the advanced features, “Dama” lacks command-line interface support for direct OS commands, which is unusual for a tool of its kind.
Exploitation Tactics
The latest attacks involve downloading a file named “public.txt” from a compromised Chinese server. This file then saves as “roeter.php” on the victim’s system, opening a password-protected, obfuscated web shell. Originating mainly from Zenlayer cloud IP addresses in Hong Kong, the attacks utilize the “Dama” web shell to navigate, edit, and delete files. It also modifies file system timestamps, uploads files, collects system data, performs port scans, and escalates privileges by disabling PHP constraints and scheduling tasks for high-privileged user additions.
Security Recommendations
It is critical for users of ThinkPHP to upgrade to the latest version, 8.0, to mitigate these vulnerabilities. Despite some customers not using ThinkPHP being targeted, indiscriminate attacks suggest a broader threat landscape. The possible objectives of these cyber attacks range from botnet recruitment to ransomware deployment, extortion, intelligence acquisition, and lateral movement within networks.
Key Insights:
- ThinkPHP’s known vulnerabilities remain a target for cyberattacks.
- The “Dama” web shell offers advanced features but lacks direct OS command support.
- Upgrade to ThinkPHP version 8.0 is essential to mitigate risks.
The sophisticated nature of recent attacks on ThinkPHP applications underscores the evolving threat landscape in cybersecurity. The “Dama” web shell’s capabilities demonstrate the increasing complexity of tools used by cyber attackers. The absence of direct OS command support in “Dama” is notable, as it reflects a trade-off between functionality and stealth. Users must remain vigilant and promptly apply security updates to protect against these and other emerging threats. Regularly monitoring network activity and implementing robust security protocols can also help mitigate the risks associated with these vulnerabilities.
