There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals.
ThinkPHP, a web framework by TopThink, is a Chinese-made PHP framework used by a large number of web developers in the country. In early December 2018, the framework was revealed to be impacted by a remote code execution bug that could allow an attacker to take over a vulnerable server.
The issue was that user input was not properly sanitized, thus allowing an unauthenticated user to specify their own filter function to execute.
“An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/thinkRequest/input&filter=phpinfo&data=1 query string,” the flaw’s MITRE page reads.
Tracked as CVE-2018-20062, the vulnerability started being targeted immediately after proof-of-concept (PoC) code for it was published on December 11. Security researchers noticed an increase in scans for the vulnerability within days.
Now, Akamai notes that they have observed widespread scanning for the ThinkPHP vulnerability, and that multiple actors target the flaw to install “everything from a Mirai-like botnet to Microsoft Windows malware.”
Other identified payloads include web shell backdoors and crypto currency mining software, as well as malware featuring distributed denial of service, spam and phishing capabilities, and data exfiltration functionality, and tools capable of harvesting Windows credentials (Mimkatz).
“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency,” Akamai’s Larry Cashdollar says.
The security researcher also suggests that there will be “more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.” On top of that, WordPress plugin vulnerabilities also appear to be making their way into the IoT exploitation Swiss army knife, he says.