Research Saturday 3.16.19
Ep 77 | 3.16.19

ThinkPHP exploit from Asia-Pacific region goes global.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multi cloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Larry Cashdollar: [00:01:53] I have been examining payloads that were directed at Magento. I was doing this because I was researching a Magecart credit card skimming campaign.

Dave Bittner: [00:02:01] That's Larry Cashdollar. He's a Senior Intelligence Response Engineer at Akamai. The research we're discussing today is titled, "ThinkPHP Exploit Actively Exploited in the Wild."

Larry Cashdollar: [00:02:12] And I noticed the payload that wasn't specific to Magento, but it was something called ThinkPHP. And I hadn't heard of it before, so I started to dig into a little more, and looking at the payloads in the GET requests, it appeared to be a code injection vulnerability. I wasn't familiar with it, so I decided to investigate and dig into it more, and do a little bit of research on it, and then saw a vulnerability had been disclosed in ThinkPHP in - only, I think, a few weeks prior. And I was looking at the IP addresses that the malicious requests were coming from, and a lot of them really originated in the Asia-Pacific region. So I just started to take notes and start writing things down, and started noticing that the payloads were varying, and decided to start writing this up.

Dave Bittner: [00:02:59] Let's go through it. I mean, this is a fairly technical one here. There's a lot of different things that you uncovered, so why don't we walk through it together. Shall we start with this ThinkPHP element that you discovered?

Larry Cashdollar: [00:03:10] Someone - a researcher in, I believe it was in the China area or region - he disclosed a remote code execution vulnerability in this ThinkPHP framework. This ThinkPHP is a framework that was developed by TopThink, a Chinese software company. And the guy who discovered the vulnerability had disclosed it as an issue on GitHub. And it appears that the folks at TopThink quickly fixed the vulnerability, but a lot of, I'd say, bad actors had already started abusing it or looking for it in the wild. And what I really noticed was a lot of widespread scanning for it.

Larry Cashdollar: [00:03:55] So, what I originally found was a request that was looking to see if ThinkPHP was there, and then it was looking to inject a simple request to execute PHP code, and the code that it was executing was just an MD5 sum of a string of numbers. And if it got the MD5 sum of the string of numbers back, then it knew that system was vulnerable to ThinkPHP, and that - they then would send another payload that would try to execute the more malicious command of downloading software or, you know, installing another cryptominer - something like that.

Larry Cashdollar: [00:04:28] So, there was a lot of widespread scanning going on. It was mostly originating from China and parts of Japan. It was targeting all industry verticals. So, I saw e-commerce sites being scanned for it. I saw tire warehouses being scanned for it. You know, it was sneaker stores - like, any sort of vendor you could think of. It would scan software companies - didn't matter. It was just sort of scanning everything that was out on the Internet for it, looking for this vulnerable framework.

Larry Cashdollar: [00:04:57] And, you know, I realized - while, for example, might not be running it, microsoft[.]com[.]cn might be running it. So, these guys were just scanning pretty much everything under the sun, seeing if there was any sort, you know, APJ-specific sister site that might be running this framework.

Dave Bittner: [00:05:15] And when they run this test code, I mean, it doesn't trigger anything on the system that says anything's gone awry.

Larry Cashdollar: [00:05:22] Right. You just would see it in your logs. You'd have to look in your logs to find out if your system had been scanned. And if you're running ThinkPHP on your system that's unpatched, you might want to look for odd-looking files in your web server group directory that don't belong to your website. Honestly, at this point, it's most likely that you've been compromised.

Dave Bittner: [00:05:45] So, let's dig into some more of the details here. So, you establish that folks are looking for this, and it goes a little farther than that.

Larry Cashdollar: [00:05:53] Right. The three most prominent things that I saw were - they were attempting to install a Mirai-like IoT botnet. This botnet would look like it was built for Linux systems, and it also utilized the ThinkPHP exploit itself. So, you had a web framework that was vulnerable to a remote command execution or remote code execution, but that had also been ported to a Mirai-like IoT binary, and that was used to distribute the Mirai botnet code, you know, using a web app vulnerability. So, the more it's just sticking to Mirai - or, I should say, like, IoT-specific vulnerabilities, you know, like remote command injection routers, or default known passwords - they were actually using this web framework vulnerability to install Mirai-like malware.

Larry Cashdollar: [00:06:40] And then they were also looking for Windows-based systems. So, they were scanning systems looking for Windows IIS servers, and they were looking to see - they were using PowerShell to download a Windows binary that would scan the network looking for Samba connections, and then it would use EternalBlue to try and compromise those systems. And they were also - once installed - would use Mimikatz to harvest credentials from those systems. So, it was a pretty nasty piece of malware. It wasn't just looking to install, say, a Bitcoin miner. It was looking to actually steal credentials and spread itself to other Windows-like systems on the network.

Larry Cashdollar: [00:07:23] And then the other thing that I saw was installing an XMR cryptocurrency miner. So, it was also trying to mine Bitcoin on systems that were compromised, or that they could compromise. So, there was at least three distinct payloads that I saw, besides the actual scanning for vulnerable systems. And some of the widespread scanning, you know, instead of seeing an MD5 sum of a string of numbers, it was actually installing a shell file, or a PHP shell, that would evaluate the POST request that was encoded in the filename. So it was - you know, there were other smaller payloads, just to check to see if it existed. But the more major ones were for a Mirai IoT botnet, the cryptocurrency miner, the Windows malware.

Dave Bittner: [00:08:09] So, is your sense with this that this is a widely known-about vulnerability that many, many different bad actors are taking advantage of?

Larry Cashdollar: [00:08:17] Right. The actors appear to be specific, or at least concentrated in the Asia-Pacific region, and they appear to be scanning not only the Asia-Pacific sites, but also the entire Internet as a whole - I think because they're looking for sites like microsoft[.]com[.]cn that might be utilizing this framework in the website's actual code base.

Dave Bittner: [00:08:40] Now, the folks who develop this framework, TopThink - the folks who develop ThinkPHP - are they aware of this? Has a patch been released?

Larry Cashdollar: [00:08:49] Yeah, they've patched it. It looked like they patched rather quickly, but it doesn't seem to be stopping the actors or bad guys from actually looking for it. I suspect they just know that systems may not be updated in a timely manner. You know, normally patch cycles might be slow for websites. So, while the vulnerability is relatively new, they're going to a lot of scanning for it.

Dave Bittner: [00:09:11] And what's your sense for how widespread this is?

Larry Cashdollar: [00:09:14] I know the scanning is pretty widespread. I know that there's about fifty thousand downloads of the ThinkPHP framework. I suspect they're probably specific to the Asia-Pacific region, but it looks like the guy's looking for this aren't following that rule. They're looking everywhere for it.

Dave Bittner: [00:09:35] Interesting. So, besides, obviously, you know, patching to make sure that you're running the version of ThinkPHP that's not vulnerable to this, are there other ways to protect ourselves against this?

Larry Cashdollar: [00:09:47] Yeah, if you've got a web application firewall, I believe most command injection or PHP code injection rules will stop this vulnerability from being exploited. The payload is pretty straightforward - it's usually trying to execute some command, or it's passing along some PHP code, which is pretty easily gonna trip a WAF rule on a firewall. So, you've got a WAF in front of your website, then most likely it's probably been tripped already by this. But it might be good to go look at your logs and see, you know, what rules might have triggered, and look for the payload, and look for "ThinkPHP" in the payload string.

Dave Bittner: [00:10:26] And as you say, this is mostly hitting Asia-Pacific region - that's really where it seems to be concentrated?

Larry Cashdollar: [00:10:31] The vulnerable sites are concentrated there, but the entire Internet is being scanned for it.

Dave Bittner: [00:10:37] Interesting.

Larry Cashdollar: [00:10:36] So, any machine on the Internet or any website on the Internet has probably been scanned for this vulnerability.

Dave Bittner: [00:10:45] Our thanks to Larry Cashdollar from Akamai for joining us. The research is titled, "ThinkPHP Exploit Actively Exploited in the Wild." We'll have a link in the show notes.

Dave Bittner: [00:10:56] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:11:04] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:11:14] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.