TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Threat Actors Rapidly Adopt New ThinkPHP RCE Exploit to Spread IoT Malware and Deploy Remote Shells

2018-12-19 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
98%
“en / labs / articles / threat - intelligence / apache - struts - 2 - vulnerability - - cve - 2018 - 11776 - - exploited - in - cron. html ). what to do? thinkphp has published an official security update patching this vulnerability and upgrading to version 5. 0. 23 or 5. 1. 31 wi…”
T1190Exploit Public-Facing Application
97%
“threat actors rapidly adopt new thinkphp rce exploit to spread iot malware and deploy remote shells key points only a few days after the thinkphp vulnerability was discovered, it is already being exploited on the internet. almost 46, 000 servers, most of which are located in chin…”
T1190Exploit Public-Facing Application
91%
“another poc was published on packetstormsecurity. com, and another poc popped up in the forum on thinkphp ’ s official website. figure 2. the vulnerability published on thinkphp ’ s official website ( translated from chinese ) shortly after these published pocs, we started seeing…”
T1059.004Unix Shell
66%
“sha1 calculation is done on the provided secret and the injected code will execute only if the substring of this calculation equals a specific value. this allows the threat actor to prevent possible takeover of this shell by other threat actors. once the php file is uploaded to t…”
T1059.006Python
60%
“4. attacker sends malicious payload to determine if the targeted server is vulnerable installing a back door another campaign we spotted was trying to deploy a php shell on vulnerable servers. this campaign uploads a php shell to the targeted server, to later be used as an arbitr…”
T1190Exploit Public-Facing Application
55%
“4. attacker sends malicious payload to determine if the targeted server is vulnerable installing a back door another campaign we spotted was trying to deploy a php shell on vulnerable servers. this campaign uploads a php shell to the targeted server, to later be used as an arbitr…”
T1059.004Unix Shell
51%
“the curl command. this bash script then downloads and executes the binaries of the hikari botnet malware, while each executable targets a different processor architecture, focusing mostly on iot ( arm, mips, sh4, etc. ). figure 10. bash script downloads and executes hikari execut…”
T1505.003Web Shell
45%
“4. attacker sends malicious payload to determine if the targeted server is vulnerable installing a back door another campaign we spotted was trying to deploy a php shell on vulnerable servers. this campaign uploads a php shell to the targeted server, to later be used as an arbitr…”
T1059.004Unix Shell
44%
“4. attacker sends malicious payload to determine if the targeted server is vulnerable installing a back door another campaign we spotted was trying to deploy a php shell on vulnerable servers. this campaign uploads a php shell to the targeted server, to later be used as an arbitr…”
T1588.006Vulnerabilities
36%
“another poc was published on packetstormsecurity. com, and another poc popped up in the forum on thinkphp ’ s official website. figure 2. the vulnerability published on thinkphp ’ s official website ( translated from chinese ) shortly after these published pocs, we started seeing…”

Summary

Threat actors wasted no time jumping on this new exploit to launch new campaigns for reconnaissance, uploading back doors, and deploying variants of the Mirai botnet.