A PoC that exploits a security flaw on ThinkPHP can trigger frenetic scans to search for defects in vulnerable sites; China hosts most of the websites.
More than 45,000 Chinese websites have been subjected to massive attacks to access web servers. The attacks targeted sites built with ThinkPHP, a very popular Chinese PHP framework there.
All attacks began after China’s cybersecurity company VulnSpy posted a proof of achievement for ThinkPHP on ExploitDB, a website known to host and make available free code to perform exploits.
The PoC exploits a vulnerability in the framework’s invokeFunction method to execute malicious code on the server. The vulnerability is remotely exploitable, like most vulnerabilities in web applications, and can allow an attacker to take control of the server.
The attacks began in less than a day
The number of hackers exploiting ThinkPHP’s new vulnerability has also increased. In addition to the first attackers, there is now another group of security experts called “D3c3mb3r”, and a group that uses the ThinkPHP vulnerability to infect servers with Miori IoT malware.
The latter group, detected by Trend Micro, also suggests that the ThinkPHP framework may have been used to build control tools for some home routers and IoT devices, as Miori may not work correctly on Linux servers at this time. Also, NewSky Security has also detected a fourth group that analyzes ThinkPHP sites and attempts to execute Microsoft Powershell commands.
But the most important of all groups exploiting this ThinkPHP vulnerability is D3c3mb3r. This group doesn’t particularly focus on ThinkPHP. This group is looking for flaws in everything related to PHP.
But this group, for the time being, is not doing anything special. It does not infect servers with crypto-currency miners or other malware. They merely look for vulnerable hosts, execute a basic command “echo hello d3c3mb3r”, and that’s it.
More than 45,000 vulnerable hosts
A search on Shodan shows that there are currently more than 45,800 servers, running a ThinkPHP web application, are accessible online. More than 40,000 of them are hosted on Chinese IP addresses, which makes sense since ThinkPHP documentation is only available in Chinese, and most likely not used abroad.
It also explains why most attackers looking for ThinkPHP sites are even predominantly Chinese.
But it is not necessary to be Chinese to exploit the vulnerability of Chinese software. As more and more hackers learn about this new easy way to hack into web servers, attacks on Chinese sites will intensify.