In the present scenario, We’re no longer dealing with theories or potential exploitations, but with actual attacks. In security, a vulnerability constitutes the ‘attack surface’- a weakness that can be exploited by an attacker at some point. Recently, the Alibaba Cloud security team has reported a high-risk vulnerability in the ThinkPhP framework which is new to the security market. The team reports on new attacks that already use this vulnerability: two botnets, BuleHero and Sefa, took notice of the new ‘attack surface’, and exploited it to compromise hosts and use them for various cybercrime purposes. The ThinkPHP vulnerability is too common to ignore, and it is highly recommended to take immediate action to block it. The botnet leverages a variety of web exploits to intrude into unpatched web servers. It also contains several other exploits to spread across the network. The attack campaign starts with an HTTP request that attempts to exploit several vulnerabilities of web application servers. As a software application that runs automated tasks, bots are a common internet tool. BlueHero botnet found scanning the internet to infect systems with XMRig miner and Gh0st RAT
To initiate the infection process, the botnet actively scans for IP addresses with ports 80 and 3389.
It then uses Mimikatz to dump passwords from infected hosts into a Results.txt file.
The botnet leverages a variety of web exploits to intrude into unpatched web servers. It also contains several other exploits to spread across the network.
Both of these botnets propagate using worms. BuleHero, one of the two botnets, propagates through internal networks. Hosts that have the ThinkPHP vulnerability and are exposed to the Internet are at a high risk of being infected by this worm. As soon as a host is infected it joins a botnet and is used for cryptocurrency mining. Cryptocurrency mining tasks consume the host’s CPU resources and significantly slow down their routine activities.
Sefa, the second botnet, is an IoT botnet that attempts to seize control of hosts using the ThinkPHP vulnerability. This new critical vulnerability in ThinkPHP v5 could cause significant damage. Alibaba Cloud’s Security researchers predicted that more botnet is going to exploit this vulnerability to propagate. Users are strongly suggested to be on the alert and use the solutions described at the end of this article to prevent attacks.
As a part of the infection process, the botnet tries to bypass the security measures on the system like firewalls. Researchers note, “The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.”
Bulehero is named after the domain name bulehero.in, which is a botnet that exploits multiple security vulnerabilities and controls Windows servers to mine cryptocurrency. Alibaba Cloud security team concluded that Bulehero had begun to use ThinkPHP remote commands to launch vulnerability attacks and propagate since December 19. The ThinkPHP vulnerability is exploited to download and run a malicious number of the binary file. These files initiate further downloads and releases multiple executable files, including cryptocurrency miner, which is used to mine Monero coins. Additional vulnerability exploitation modules are further used to propagate the botnet’s worm.
Vulnerability Exploitation method #1:
This method directly runs the PowerShell code to launch attacks against payload:
Vulnerability exploitation method #2:
This method exploits the vulnerability to upload a web shell named hydra.php, which can run backdoor commands and then execute PowerShell code to launch attacks against payload1.
Globally, crypto miners are rapidly increasing and spreading for an obvious reason: it’s lucrative. Threat actors are also surfing this wave by using a different kind of attacks to compromise not only personal computers but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make. Globally, crypto miners are rapidly increasing and spreading for an obvious reason: it’s lucrative. Threat actors are also surfing this wave by using a different kind of attacks to compromise not only personal computers but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make.
Over the last few months, we have begun to see a switch away from traditional ransomware, most probably because fewer and fewer victims are paying the ransom. Experts are suggesting that victims not pay ransoms, as there is no guarantee that the cybercriminals will actually return access to their encrypted data. Moreover, as has been described a few times on this blog, most of the time getting back access to the original data is simply not technically possible.
However, last year, we not only witnessed IoT malware embedding exploits to recruit more bots in their army but also campaigns using exploits to deploy cryptocurrency miners onto those devices. That trend is even more popular today, with cybercriminals exploiting new critical vulnerabilities within days of the public release of patches.
The threat to Internal Networks:
BuleHero exploits many vulnerabilities to spread itself in internal networks, posing critical security threats to the enterprise’s internal networks. BuleHero obtains a local IP address, to obtain the public IP address and generates the IP segment of a scanned IP. The IP segment contains segment B of the local network, segment B of the corresponding public network and the randomly generated public network address. BuleHero first uses the EternalBlue exploit (https://en.wikipedia.org/wiki/EternalBlue ) and “ipc$” to launch brute-force attacks against port 445 and port 139 before exploiting the Web framework vulnerabilities to implement intrusion.
BuleHero Cyberattack Trend:-
Alibaba Cloud’s security team found that BuleHero began to use a new attack method to exploit this vulnerability in ThinkPHP v5 on December 19. Since that day, BuleHero network attacks have increased significantly, which indicates that the propagation pace is considerably fast.
Additional vulnerability exploitation methods used by BuleHero are as follows:
Tomcat PUT arbitrary file upload vulnerability (CVE-2017-12615)
Exploits this vulnerability to upload a web shell named FxCodeShell.jsp, which can download and execute files:
Struts2 remote code execution vulnerability (CVE-2017-5638)
WebLogic WLS component remote code execution vulnerability (CVE-2017-10271)
EternalBlue vulnerability (MS-17-010)
Some of the web application vulnerabilities that BlueHero botnet includes in its exploit list are:
Apache Tomcat PUTs vulnerability (CVE-2017-12615)
Apache Struts RCE vulnerability (CVE-2017-5638)
Oracle WebLogic server vulnerability (CVE-2018-2628)
WebLogic Deserialization RCE vulnerability (CVE-2019-2725)
Oracle WebLogic Server vulnerability (CVE-2017-10271)
ThinkPHP v5 Remote Code Execution vulnerability
Drupal Remote Code Execution vulnerability (CVE-2018-7600)
Apache Solr Remote Code Execution vulnerability (CVE-2019-0193)
There are two types of exploits targeting this vulnerability that depend on the file path of the web app that it is trying to exploit. Both attacks use PowerShell to download and execute their payloads.
They use living-off-the-land techniques, such as using PowerShell, CertUtil, CMD and Wscript to download and execute their payload.