Cybercriminals exploit ThinkPHP vulnerability via Hakai and Yowai botnets

• ThinkPHP vulnerability is being increasingly exploited for botnet propagation by Mirai variant Yowai and Gafgyt variant Hakai.
• Attackers use websites created using PHP framework to breach web servers via dictionary attack and gain control of these routers for DDoS attacks.

The ThinkPHP vulnerability which allows attackers to gain control over web servers was patched in December 2018. However, cybercriminals were spotted exploiting this ThinkPHP vulnerability for botnet propagation by Mirai variant Yowai and Gafgyt variant Hakai.

Moreover, attackers use websites created using PHP framework to breach web servers via dictionary attack and gain control of these routers for DDoS (Distributed Denial of Service) attacks. Trend Micro’s telemetry revealed that Hakai and Yowai caused a sudden increase in attacks between January 11-17, 2019.

Mirai variant Yowai

Researchers from Trend Micro observed that Yowai adds ThinkPHP vulnerability to its list of infection entry vectors along with the other known vulnerabilities. TrendMicro explained in a blog that Yowai listens on port 6 to receive commands from C&C server.

• Once Yowai successfully infects a router, it uses dictionary attack to infect other devices.
• The infected router will then become part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.
• Once executed, Yowai displays a message on users’ console.

Apart from ThinkPHP vulnerability, Yowai has exploited other vulnerabilities such as CVE-2014-8361, a Linksys RCE, CVE-2018-10561, CCTV-DVR RCE.

Gafgyt variant Hakai

Gafgyt variant Hakai has been observed exploiting router vulnerabilities for propagation and infecting Internet of Things (IoT ) devices. Researchers from TrendMicro observed that the Hakai sample (detected by Trend Micro as BACKDOOR.LINUX.HAKAI.AA) explored bugs that remained unpatched in systems and added exploits for vulnerabilities in ThinkPHP and other vulnerabilities to propagate and perform DDoS attacks.

The other vulnerabilities included D-Link DSL-2750B router vulnerability, CVE-2015-2051, CVE-2014-8361, and CVE-2017-17215.

“Interestingly, the Hakai sample we examined contained codes copied from Mirai, specifically the functions used for encrypting its configuration table. However, the functions we’ve identified are not operational, we suspect that the codes for telnet dictionary attack were intentionally removed to make this Hakai variant stealthier,” researchers explained in the blog.

Researchers noted that ThinkPHP is a free open source frame which can be easily exploited by attackers by abusing Yowai and Hakai to breach web servers and websites.

Researchers’ recommendations

• Researchers recommended IoT device users to update their devices to the latest version in order to patch any exploitable vulnerabilities.
• They further recommended users to frequently change their device passwords to a complicated and strong password in order to prevent unauthorized login attempts.