Hackers Exploit Old ThinkPHP Vulnerabilities to Install Persistent ‘Dama’ Web Shells

Introduction

Chinese threat actors are actively targeting vulnerable ThinkPHP applications to install a persistent web shell known as Dama. The attackers exploit known vulnerabilities, CVE-2018-20062 and CVE-2019-9082, to compromise systems, establishing a foothold for further malicious activities.

Targeting Old Vulnerabilities

ThinkPHP, an open-source web application development framework popular in China, is at the center of this campaign. The specific vulnerabilities being exploited are:

Attackers leverage these vulnerabilities to execute remote code on content management systems (CMS) running on the affected endpoints. Attackers initiate their exploit by downloading a text file labeled "public.txt," which is actually an obfuscated Dama web shell stored as "roeter.php." This malicious payload is delivered from compromised servers located in Hong Kong, allowing the attackers to gain remote control over the targeted systems by using the password "admin" for authentication.

Expansion of Malicious Activity

Initial signs of this activity date back to October 2023. However, recent observations indicate that the malicious campaign has expanded and intensified. Compromised systems are being co-opted into the attackers' infrastructure, serving as nodes for further operations and helping evade detection.

Capabilities of the Dama Web Shell

Dama is a sophisticated web shell with various advanced capabilities:

Despite these extensive functionalities, Dama lacks a command-line interface, which limits hands-on command execution by the attackers.

Mitigation

Exploiting these long-patched vulnerabilities highlights the persistent issue of inadequate vulnerability management. Organizations using ThinkPHP should upgrade to the latest version, ThinkPHP 8.0, which is secure against known remote code execution vulnerabilities.

Even systems not using ThinkPHP have been impacted, suggesting the attackers' opportunistic motives. Therefore, maintaining up-to-date security patches and robust vulnerability management practices is essential.

Conclusion

The exploitation of ThinkPHP vulnerabilities to deploy the Dama web shell underscores the importance of proactive cybersecurity measures. By keeping software up-to-date and adhering to best practices in vulnerability management, organizations can better defend against such sophisticated attacks. Stay informed with the latest cybersecurity updates to protect your systems from emerging threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.