Security News > 2024 > June > Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
![Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells](/static/build/img/news/hackers-exploit-2018-thinkphp-flaws-to-install-dama-web-shells-medium.jpg)
Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.
The web shell enables further exploitation of the breached endpoints, such as enlisting them as part of the attackers' infrastructure to evade detection in subsequent operations.
ThinkPHP is an open-source web application development framework that is particularly popular in China.
The two flaws are leveraged in this campaign to enable the attackers to perform remote code execution, impacting the underlying content management systems on the target endpoints.
Specifically, the attackers exploit the bugs to download a text file named "Public.txt," which, in reality, is the obfuscated Dama web shell saved as "Roeter.php."
Akamai says the servers delivering the payloads are infected themselves with the same web shell, so it appears that compromised systems are turned into nodes in the attacker's infrastructure.
News URL
Related news
- Hackers exploit LiteSpeed Cache flaw to create WordPress admins (source)
- Helsinki suffers data breach after hackers exploit unpatched flaw (source)
- North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign (source)
- Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking (source)
- Hackers Exploit Legitimate Packer Software to Spread Malware Undetected (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
- Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-02-24 | CVE-2019-9082 | Missing Authentication for Critical Function vulnerability in multiple products ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. | 9.3 |
2018-12-11 | CVE-2018-20062 | Improper Input Validation vulnerability in 5None Nonecms 1.3.0 An issue was discovered in NoneCms V1.3. | 7.5 |