Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web Shell. Show all posts

Attackers Exploit 2018 ThinkPHP Vulnerabilities to Install ‘Dama’ Web Shells

 

Chinese threat actors are exploiting CVE-2018-20062 and CVE-2019-9082 vulnerabilities in ThinkPHP applications to install Dama, a persistent web shell.

The web shell allows for further exploitation of the compromised endpoints, such as enlisting them as part of the perpetrators' infrastructure to avoid detection in future operations. 

The first indications of this activity date back to October 2023, but according to Akamai analysts tracking it, the malicious behaviour has lately expanded and intensified.

Targeting old flaws

ThinkPHP is a popular open-source framework for developing online appps, particularly in China.

CVE-2018-20062, which was resolved in December 2018, is a vulnerability identified in NoneCMS 1.3 that allows remote attackers to execute arbitrary PHP code by manipulating the filter parameter. 

CVE-2019-9082 affects ThinkPHP 3.2.4 and older, which is used in Open Source BMS 1.1.1. It is a remote command execution issue that was addressed in February 2019.

The two weaknesses are exploited in this campaign to allow attackers to execute remote malware, impacting the underlying content management systems (CMS) on the target endpoints. 

Specifically, the attackers exploit the vulnerabilities to download a text file called "public.txt," which is actually the obfuscated Dama web shell saved as "roeter.php.”

The payload is downloaded from hacked servers in Hong Kong, and the attackers gain remote server control after a simple authentication step with the password "admin." 

According to Akamai, the servers delivering the payloads are infected with the same web shell, implying that compromised systems are being used as nodes in the attacker's infrastructure. 

Mitigation 

Exploiting 6-year-old flaws serves as another reminder of the ongoing issue of inadequate vulnerability management, as attackers in this case use security vulnerabilities that were patched a long time ago. 

The recommended course of action for potentially impacted organisations is to upgrade to the most recent ThinkPHP version, 8.0, which is safe against known remote code execution flaws. 

Akamai further adds that the campaign's targeting reach is vast, including systems that do not use ThinkPHP, implying opportunistic goals.