Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Symantec Reports Uptick in PHP Inclusion Attacks

Researchers at Symantec say they have noticed an uptick of PHP code inclusion attacks leveraging a two-year-old vulnerability.

Researchers at Symantec say they have noticed an uptick of PHP code inclusion attacks leveraging a two-year-old vulnerability.

The attacks have targeted the company’s managed security services customers during the past three weeks, and have been leveraging CVE-2012-1823 to infect Internet-facing web servers. Only Linux webservers running out-of-date versions of PHP are vulnerable. As of Jan. 6, more than 60 Security Operations Center customers have been affected by the exploit attempts.

“There is no clear correlation between this activity and any individual industry vertical, with customers in health, financial, telecommunications, local government, and more being affected,” according to Symantec’s MSS Global Threat Response blog. “The main driver behind these exploits is to compromise and infect the victim webserver for financial gain. Binaries were extracted from the malicious servers utilized in the attack, revealing primarily bitcoin mining malware. Bitcoins are a virtual currency which is generated based on mathematical operations known as ‘mining’ on computer hardware.”

Attackers often infect machines with the intent of using them to generate bitcoins for financial gain, the company added. Researchers also linked the attack to a Linux worm targeting embedded devices.

“There’s no clear trend or geographic breakdown of source addresses that would lend itself to attribution,” according to Symantec. “Due to the nature of the attack, return traffic to the source host is not required. Redirection information is contained in the original exploit attempt, leading us to believe that source IP information has been spoofed. Identical exploit strings have been observed from numerous source addresses, further indicating spoofed activity.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.