A bug in the ThinkPHP framework has left over 45,000 websites open to a barrage of attacks. Hackers have been exploiting the bug to gain access to web servers. A hacker group named D3c3mb3r has been found exploiting the vulnerability in the wild. Another hacker group was also found exploiting the vulnerability to infect servers with the Miori malware.
According to ZDNet, the attacks began after a Chinese cybersecurity firm, VulnSpy, posted a proof-of-concept (PoC) of the exploit for ThinkPHP on ExploitDB - a popular website that hosts free exploit code. The PoC points out that by exploiting the vulnerability, attackers could execute malicious code on the underlying server.
"The PoC was published on December 11, and we saw internet-wide scans less than 24 hours later," Troy Mursch, co-founder of Bad Packets LLC told ZDNet.
Other security firms such as F5, GreyNoise, NewSky Security and Trend Micro have also confirmed Mursch’s report and found that the attackers have increased scanning for the vulnerability in the following days.
“They are very loud on PHP. Mostly looking for web servers and not IoT devices,” Ankit Anubhav, Principal Security Researcher for NewSky Security told ZDNet, commenting on the D3c3mb3r hacker group’s recent activities.
Trend Micro discovered that the attackers involved in using the Miori malware were leveraging the flaw to manipulate the control panels of home routers and IoT devices. Meanwhile, NewSky Security detected a fourth hacker group scanning for ThinkPHP-based websites and attempting to run Microsoft Powershell commands.
“The Powershell one is bizarre. They actually have some code that checks for OS type and runs different exploit code for Linux, but they also run Powershell just to try their luck,” Anubhav told ZDNet.