CyberWire Daily - ThinkPHP exploit from Asia-Pacific region goes global. [Research Saturday]
Episode Date: March 16, 2019Akamai's Larry Cashdollar joins us to describe an exploit he recently came across while researching MageCart incidents. It's a remote command execution vulnerability affecting ThinkPHP, a popular web ...framework. The original research can be found here: https://blogs.akamai.com/sitr/2019/01/thinkphp-exploit-actively-exploited-in-the-wild.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
I have been examining payloads that were directed at Magento. I was doing this because I was
researching the Magecart credit card skimming campaign. That's Larry Kashtaller. He's a senior intelligence response engineer at Akamai.
The research we're discussing today is titled Think PHP Exploit Actively Exploited in the Wild.
And I noticed a payload that wasn't specific to Magento, but it was something called Think PHP.
And I hadn't heard of it before, so I started to dig into it a little more.
And looking at the payloads in the GET request, it appeared to be a code injection vulnerability.
I wasn't familiar with it, so I decided to investigate and dig into it more and do a little bit of research on it.
And then saw a vulnerability had been disclosed in ThinkPHP in only, I think, a few weeks prior.
and disclosed and think PHP in only, I think, a few weeks prior. And I was looking at the IP addresses that the malicious requests were coming from. And a lot of them really originated in the
Asia Pacific region. So I just started to take notes and start writing things down and started
noticing that the payloads were varying and decided to start writing this up.
Let's go through it. I mean, this is a fairly technical one here. There's a lot of different
things that you uncovered. So why don't we walk through it together? Shall we start with this
ThinkPHP element that you discovered? Someone, a researcher in, I believe it was in the China
area or region, he disclosed a remote code execution vulnerability in this
ThinkPHP framework.
This ThinkPHP is a framework that was developed by TopThink, a Chinese software
company, and the guy who discovered the vulnerability had disclosed it as an
issue on GitHub.
And it appears that the folks at TopThink quickly fixed the vulnerability, but
a lot of, I'd say, bad actors had already started abusing it or looking for it in the wild.
And what I had really noticed was a lot of widespread scanning for it. So what I originally
found was a request that was looking to see if ThinkPHP was there,
and then it was looking to inject a simple request to execute PHP code.
And the code that it was executing was just an MD5 sum of a string of numbers.
And if it got the MD5 sum of the string of numbers back,
then it knew that system was vulnerable to ThinkPHP,
and that they then would send another payload that would try and execute the more malicious command of downloading software or you know installing another crypto mine or something like that so there was a lot of widespread scanning going on
it was mostly originating from china and parts of japan it was targeting all industry verticals so i
saw e-commerce sites being scanned for it. I saw
tire warehouses being scanned for it. It was sneaker stores, like any sort of vendor you
could think of. They were scanning software companies. It didn't matter. They were just
sort of scanning everything that was out on the internet for it, looking for this vulnerable
framework. And I realized while, for example, Microsoft.com might not be running it, Microsoft.com.cn might be running it.
So these guys were just scanning pretty much everything under the sun, seeing if there was any sort of, you know, APJ specific sister site that might be running this framework.
And when they run this test code, I mean, it doesn't trigger anything on the system that says anything's gone awry.
Right. You just would see it in your logs.
You'd have to look in your logs to find out if your system had been scanned.
And if you're running ThinkPHP on your system that's unpatched,
you might want to look for odd-looking files in your web server's root directory that don't belong to your website.
Honestly, at this point, it's most likely that you've been compromised.
So let's dig into some more of the details here.
So you establish that folks are looking for this, and it goes a little farther than that.
Right.
The three most prominent things that I saw were they were attempting to install a Mirai-like IoT botnet.
This botnet looked like it was built
for Linux systems, and it also utilized ThinkPHP exploit itself. So you had a web framework that
was vulnerable to a remote command execution or remote code execution, but that had also been
ported to a Mirai-like IoT binary, and that was used to distribute the Mirai botnet code,
you know, using a web app vulnerability.
So they weren't just sticking to Mirai,
or I should say like IoT-specific vulnerabilities,
you know, like mo-command injection routers
or default known passwords.
They were actually using this web framework vulnerability
to install Mirai-like malware.
And then they were also looking for Windows-based systems.
So they were scanning systems looking for Windows IIS servers,
and they were using PowerShell to download a Windows binary that would scan the network looking for Samba connections,
and then it would use EternalBlue to try and
compromise those systems. And they would also, once installed, would use Mimcats to harvest
credentials from those systems. So it was a pretty nasty piece of malware. It wasn't just looking to
install, say, a Bitcoin miner. It was looking to actually steal credentials and spread itself to
other Windows-like systems on the network. And then the other thing that I saw was installing
an XMR cryptocurrency miner. So it was also trying to mine Bitcoin on systems that were compromised
or that they could compromise. So there was at least three distinct payloads that I saw besides
the actual scanning for vulnerable systems. And some of the widespread scanning,
instead of seeing an MD5 sum of a string of numbers,
it was actually installing a shell file or a PHP shell
that would evaluate the post request that was encoded in that file name.
So there were other smaller payloads just to check to see if it existed,
but the more major ones were the Mariah IoT botnet, the cryptocurrency model, the Windows
malware.
So is your sense with this that this is a widely known about vulnerability that many,
many different bad actors are taking advantage of?
Right.
The actors appear to be specific or at least concentrated in the Asia
Pacific region. And they appear to be scanning not only the Asia Pacific sites, but also the
entire internet as a whole. I think because they're looking for sites like Microsoft.com.cn
that might be utilizing this framework in the website's actual code base.
Now, the folks who develop this framework, TopThink, the folks who develop ThinkPHP,
are they aware of this? Has a patch been released?
Yeah, they've patched it. It looked like they patched it rather quickly,
but it doesn't seem to be stopping the actors or bad guys from actually looking for it.
I suspect they just know that systems may not be updated in a timely manner. Normally, patch cycles might be slow for it. I suspect they just know that systems may not be updated in a timely manner. Normally,
you know, patch cycles might be slow for websites. So while the vulnerability is relatively new,
they're going to do a lot of heavy scanning for it.
What's your sense for how widespread this is?
I know the scanning is pretty widespread. I know that there's about 50,000 downloads of the ThinkPHP framework.
I suspect they're probably specific to the Asia-Pacific region, but it looks like the guys looking for this aren't following that rule.
They're looking everywhere for it.
Interesting.
So besides, obviously, patching to make sure that you're running the version of ThinkPHP that's not vulnerable to this, are there other ways to protect yourselves against this?
Yeah, if you've got a web application firewall, I believe most command injection or PHP code injection rules will stop this vulnerability from being exploited. The payload is pretty straightforward.
It's usually trying to execute some command or it's passing along some PHP code, which is pretty easily going to trip a whack rule on a firewall.
So if you've got a whack in front of your website, then most likely it's probably been
tripped already by this, but it might be good to go look at your logs and see what
rules might have triggered and look at the
payload and look for, think DHP and the payload string.
And as you say, this is mostly hitting Asia Pacific region
that's really where it seems to be concentrated?
Vulnerable sites are concentrated there, but this entire internet is
being scanned for. So any machine on the internet
or any website on the internet has probably been scanned for this
vulnerability.
machine on the internet or any website on the internet has probably been scanned for this vulnerability. Our thanks to Larry Cash-Dollar from Akamai for joining us. The research is titled
Think PHP Exploit Actively Exploited in the Wild. We'll have a link in the show notes.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett And I'm Dave Bittner.
Thanks for listening.