Hacker
Image: Midjourney

Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.

The web shell enables further exploitation of the breached endpoints, such as enlisting them as part of the attackers' infrastructure to evade detection in subsequent operations.

The first signs of this activity date back to October 2023, but according to Akamai analysts monitoring it, the malicious activity has recently expanded and intensified.

Targeting old vulnerabilities

ThinkPHP is an open-source web application development framework that is particularly popular in China.

CVE-2018-20062, fixed in December 2018, is an issue discovered in NoneCMS 1.3, allowing remote attackers to execute arbitrary PHP code via crafted use of the filter parameter.

CVE-2019-9082 impacts ThinkPHP 3.2.4 and older, used in Open Source BMS 1.1.1., is a remote command execution problem addressed in February 2019.

The two flaws are leveraged in this campaign to enable the attackers to perform remote code execution, impacting the underlying content management systems (CMS) on the target endpoints.

Specifically, the attackers exploit the bugs to download a text file named "public.txt," which, in reality, is the obfuscated Dama web shell saved as "roeter.php."

The payload is downloaded from compromised servers located in Hong Kong and provides the attackers with remote server control following a simple authentication step using the password "admin."

Akamai says the servers delivering the payloads are infected themselves with the same web shell, so it appears that compromised systems are turned into nodes in the attacker's infrastructure.

The Dama web shell

Dama has advanced capabilities enabling the threat actors to navigate the file system on the compromised server, upload files, and gather system data, essentially aiding in privilege escalation.

It can also perform network port scanning, access databases, and bypass disabled PHP functions for shell command execution.

The Dama interface
The Dama interface
​​​​​​​Source: Akamai

A notable omission from Dama's capabilities is the lack of a command-line interface, which would allow threat actors a more hands-on approach to executing commands.

Akamai notes that this missing functionality is notable given Dama's otherwise extensive functionality.

Mitigation

Exploiting 6-year-old flaws serves as another reminder of the persistent problem of poor vulnerability management, as attackers, in this case, leverage security vulnerabilities patched a long time ago.

The recommended action for potentially impacted organizations is to move to the most recent ThinkPHP, version 8.0, which is safe against known remote code execution bugs.

Akamai also notes that the targeting scope of this campaign is broad, even impacting systems not using ThinkPHP, which suggests opportunistic motives.

Related Articles:

Dev rejects CVE severity, makes his GitHub repo read-only

Juniper releases out-of-cycle fix for max severity auth bypass flaw

Critical GitLab bug lets attackers run pipelines as any user

Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released

Hackers target new MOVEit Transfer critical auth bypass bug