CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats·Vulnerabilities

Chinese Hackers Exploit Old ThinkPHP Vulnerabilities in New Attacks

Akamai warns that a Chinese threat actor is exploiting years-old remote code execution vulnerabilities in ThinkPHP in new attacks. The post Chinese Hackers Exploit Old ThinkPHP Vulnerabilities in New Attacks appeared first on SecurityWeek.

Two remote code execution (RCE) vulnerabilities in ThinkPHP that were patched over five years ago are being exploited in a fresh wave of attacks, according to a warning from Akamai.

The bugs, publicly disclosed in late 2018 and early 2019 – see CVE-2018-20062 and CVE-2019-9082 – impact content management systems still using older versions of the popular open-source web application framework, and Akamai researchers say attackers are taking advantage of that.

In two attack campaigns, one running for a few days in October 2023 and another ongoing since April 2024, a Chinese-speaking threat actor has been exploiting the flaws to fetch a file from a likely compromised server in China, and to deploy a web shell on vulnerable servers.

The web shell, called Dama, allows attackers to navigate the file system and tamper with local files, harvest information, and upload files.

Post exploitation, the attackers perform network port scanning, access existing databases, and escalate privileges, including by “bypassing disabled sensitive PHP functions to escape the PHP sandbox and execute shell commands on the server,” Akamai said.

Additionally, the Dama web shell can abuse Windows task scheduler to reconfigure Windows Management Instrumentation (WMI) to add high-privileged users.

Impacting ThinkPHP prior to version 5.0.23, CVE-2018-20062 was patched in December 2018. CVE-2019-9082 impacts ThinkPHP versions before 3.2.4 and was addressed in February 2019.

Proof-of-concept (PoC) code targeting these flaws has been publicly available for over five years and both started being exploited in the wild shortly after their public disclosure.

With the framework now at version 8.0, Akamai says organizations should patch as a matter of urgency, especially given that attackers continue to target unpatched iterations.

“The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully-fledged web shell, designed for advanced victim control. Interestingly, not all targeted customers were using ThinkPHP, which suggests that the attackers may be indiscriminately targeting a broad range of systems,” Akamai added.

Related: Exploitation of Recent Check Point VPN Zero-Day Soars

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Progress Patches Critical Vulnerability in Telerik Report Server

Latest News

CYBERNEWSMEDIAPublisher