Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install
cryptominers, skimmers, and other malware.
The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry Cashdollar at
Akamai’s Security Incident Response Team has now discovered active exploits of the flaw in the wild.
Cashdollar was investigating a recent Magecart campaign when discovered a new strain of malware.
“While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with. Further research into it
“The developers fixed the vulnerability stating that because “the framework does not detect the controller name enough, it may lead to possible ‘
Multiple attackers are using relatively simple techniques to trigger the issue, according to Cashdollar, they can leverage a single line of code to scan for the flaw.
Once discovered the flaw, the attackers could use publicly available code to exploit it and install several malicious codes.
Cashdollar said that in one case, threat actors exploited the flaw to deliver a
“There are multiple actors abusing this flaw to install everything from a Mirai like
The analysis of
Cashdollar confirmed that threat actors are actively scanning systems across the world.
To secure your system update the framework to the current version.
“There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they’ve left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency.” concludes the expert.
“We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms.”
The post Attacks in the wild leverage flaw in ThinkPHP Framework appeared first on Security Affairs.