Akamai Warns of Hackers Reusing 2018 Vulnerability to Target ThinkPHP

TapTechNews June 7th news, the network security company Akamai posted a blog on June 5th. Hackers have recently reused the vulnerability exposed in 2018 to attack the ThinkPHP application and install a persistent backdoor shell layer (web shell) named Dama.

ThinkPHP is a free and open-source, fast, and simple object-oriented lightweight PHP development framework. It was born for agile WEB application development and simplifying enterprise application development and is quite popular in China.

TapTechNews attached the vulnerability used by this hacker as follows:

CVE-2018-20062:

Repaired in December 2018, existing in NoneCMS1.3. Remote attackers can execute arbitrary PHP code through elaborately designed filter parameters.

CVE-2019-9082

Affects ThinkPHP3.2.4 and earlier versions used in open-source BMS1.1.1. It is a remote command execution problem solved in February 2019.

In this attack campaign, the attacker used these two vulnerabilities to execute remote codes and affect the underlying content management system (CMS) at the target endpoint.

Specifically, the attacker used these vulnerabilities to download a text file named public.txt, which is actually the obfuscated Dama backdoor shell layer and saved as roeter.php.

This backdoor shell layer will download relevant attack scripts and use the password admin for a simple authentication step to achieve remote control of the server.

Once the device is infected with the Dama backdoor shell layer, the attacker can invade the file system on the server, upload files and collect system data to help it upgrade to root privilege.

It can also perform network port scans, access databases, and bypass disabled PHP functions to execute shell commands.