June 6, 2024 at 01:33PM
Two remote code execution (RCE) vulnerabilities in ThinkPHP, CVE-2018-20062 and CVE-2019-9082, patched over five years ago, are being exploited in ongoing attacks. Chinese-speaking threat actors use the web shell “Dama” to compromise servers, bypass PHP functions, and escalate privileges. Organizations are urged to urgently patch, as attackers target unpatched systems.
Based on the meeting notes, here are the key takeaways:
1. Two remote code execution (RCE) vulnerabilities in ThinkPHP, CVE-2018-20062 and CVE-2019-9082, which were patched over five years ago, are being exploited in new attacks.
2. Akamai has warned that attackers are taking advantage of these vulnerabilities, impacting content management systems still using older versions of ThinkPHP.
3. A Chinese-speaking threat actor has been using these exploits to fetch files and deploy a web shell called Dama, which allows for various malicious activities such as file system navigation, data harvesting, and privilege escalation.
4. The attackers have been targeting unpatched systems, and Akamai stresses the urgency of patching, especially given the ongoing attacks and the availability of proof-of-concept code.
5. The attacks reveal a trend of using advanced web shells for victim control, and it is noted that the attackers may not be specifically targeting ThinkPHP, suggesting a broader range of systems might be at risk.
Let me know if you need any further information or have any specific questions.