Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape. Unlike the previous few months in which threat actors focused on cryptominers, in August they were primarily running new reconnaissance campaigns. At the same time, they continued to target well-known vulnerabilities in Elasticsearch and Oracle WebLogic on vulnerable systems.
On average, typically we detect 15 new threat campaigns in a month; in August 2019, we detected only five new threat campaigns. While June 2019 was the slowest month for overall threat activity, August outpaced June when it came to malicious requests.
Here’s an overview of the new threat activity we saw in August 2019.
The five new attack campaigns we detected all targeted vulnerabilities classified as “unsafe input injection.”
- Two campaigns targeted ThinkPHP servers that are vulnerable to a Remote Code Execution (RCE) vulnerability (CVE-2018-20062). The second of these campaigns attempted to install and execute a variant of the Mirai botnet.
The following notable campaigns were also detected:
- ElasticSearch Search Groovy Sandbox Bypass. This campaign aims to exploit Elasticsearch servers vulnerable to Elasticsearch Groovy Scripting Engine Sandbox Security Bypass Vulnerability (CVE-2015-1427). The threat actor instructs the server to return a "HelloElasticSearch" string in the response to the malicious request.
- Oracle WebLogic Async Deserialization RCE (date). This campaign aims to identify and exploit Oracle WebLogic servers vulnerable to Oracle WebLogic Async Deserialization Remote Code Execution vulnerability (CVE-2017-10271). The threat actor instructs the server to execute a "date" shell command.
- Oracle WebLogic Async Deserialization RCE (max age). This campaign aims to identify and exploit Oracle WebLogic servers vulnerable to Oracle WebLogic Async Deserialization Remote Code Execution vulnerability (CVE-2017-10271). The threat actor instructs the server to download and execute a malicious bash script. The remote server was taken offline before the researchers could analyze the malicious file.
Campaigns Targeting RCE Vulnerability on ThinkPHP Servers
ThinkPHP is a free, open source PHP framework developed by a Chinese company. According to the search engine ZoomEye, ThinkPHP is deployed on over 130,000 web servers throughout the world. The majority of these servers are located in China.
On December 9, 2018, ThinkPHP developers released a patch for CVE-2018-20062, a vulnerability that allows attackers to remotely execute PHP code due to improper input validation.1 Along with the patch, the developers released with the following statement (translated from Chinese): “Because the framework does not detect the controller name enough, it may lead to possible ‘getshell’ vulnerabilities without the forced routing enabled.”
Two days after this patch was released, a working proof of concept (POC) was posted on ExploitDB demonstrating exploitation of the vulnerability. Immediately after, there was a huge uptick in the number of new campaigns targeting ThinkPHP servers.
Even though the vulnerability was disclosed and a patch was made available in late 2018, threat actors have continued running campaigns against vulnerable ThinkPHP servers. The root cause of the vulnerability is Improper Input Validation (CWE-20), which allows a malicious actor to invoke sensitive functions, thus leading to exploitation of this vulnerability. The developers patched the vulnerability by adding a new RegEx check on the controller name (see Figure 2). This RegEx will not allow any special characters to be included in the controller name.