ThinkPHP was the single most targeted technology in 2020 says Jon Heimerl, Lead Analyst and Senior Manager, Global Threat Intelligence Centre, US for NTT Ltd. Over 30% of all attacks directed at an identifiable technology were aimed at ThinkPHP, a Chinese-made PHP framework. Its meteoric rise from obscurity to top target is odd. It has just 0.2% of the PHP framework market globally. In fact, outside of APAC, its user base is very low. Inside APAC, the majority of its users are based in China.
Problems with ThinkPHP go back to 2018 when eight separate CVEs were filed. Five of those were for SQL Injection vulnerabilities and exist across multiple versions of the framework. In 2019 a Remote Command Execution (RCE) bug was found. Metasploit has been seen actively exploiting this vulnerability through 2020. In 2020, another RCE was found in a different version of ThinkPHP. It too has been seen being actively exploited.
Metaspolit is not the only malware to exploit ThinkPHP. Yowai, a variant of the Mirai botnet and Hakai, a variation of the Gafgyt malware have also targeted ThinkPHP installations. Both have been used to take over web servers and use them in DDoS attacks. Heimerl notes that Mirai and its variants accounted for over 8% of all malware in APAC in 2020.
Don’t let the RAT into your network
NetSupport Manager is a Remote Access Trojan (RAT) that is also used as a tool by support teams. It is that dual-use that has made it highly attractive to cybercriminals. Once downloaded by an organisation, it can be hard to get rid of and is used to download other malware into an enterprise.
The risks from NetSupport Manager led Microsoft’s Security Intelligence Team to push a series of tweets about it in May 2020. It warned of a phishing campaign that used Covid as the lure and contained an infected Excel attachment.
The NTT Ltd GTIR team has now delivered its warning on how effective NetSupport Manager was last year. In an article, Jeanette Dickens-Hale, Senior All-Source Threat Intelligence Analyst, Global Threat Intelligence Center, US wrote: “GTIR data show that at 13%, NetSupport Manager was also the second most detected malware in the Americas. At the same time, this RAT did not appear in the top five malware categories in other countries that the report referenced. It’s essential to note that the healthcare industry had nearly 57% of all malware activity via NetSupport Manager.”
Enterprise Times: What does this mean?
The emergence of ThinkPHP as a target for Mirai and Metasploit is a surprise, even more so given it is predominately used in China. However, it doesn’t matter to botnet herders where machines are located, just that they can expand their botnets. Of more concern, however, is that the vulnerabilities that are being exploited have all been patched. It shows, once again, that a failure to patch is a gateway to infection.
The threat from NetSupport Manager is just as serious. Commercially available tools that are easily misused by cybercriminals create problems for security and operations teams. Its prevalence across the US and not in other countries is a surprise. However, its use against an overstretched healthcare system is not.
It will be interesting to see what additional information NTT Ltd will release its Global Threat Intelligence Report next week.