The gambit, analyzed in a detailed customer threat advisory that Imperva shared with Infosecurity, allows an external attacker to set command line options for the PHP execution engine. Such command line options eventually allow the attacker to execute arbitrary PHP code on the server.
Whille the vulnerability is not new and had previous public exploits published, the latest campaigns are taking on new tactics.
“In previous cases, the attack relied on the server configuration to redirect all PHP files to PHP CGI and thus making it vulnerable to code leakage, code execution and more,” Imperva noted. “The new attack however, tries to access the PHP CGI directly and hence must use the exact location of the PHP CGI executable.”
That’s a more sophisticated approach. For instance, an example attack vector that was captured in the wild shows an HTTP request body that contains PHP code that downloaded and installed a botnet malware client. The malware files are usually written in PHP, Python or C and vary from simple reverse shell backdoors, to IRC clients that connect to command-and-control (C&C) servers. Some of the malware have different functionality according to the kernel versions and the processor architecture of the infected server.
“Our experience shows that this level of sophistication is linked with industrialized crime, also known as bot herding,” Imperva said. “The attackers in this case scan for servers that are exposed to the vulnerability (using PHP CGI from vulnerable versions) to infect them with their bot clients, thus transforming them into zombies which receive commands from a C&C server under their control. These botnets are then sold or rented to the highest bidder.”
The trend is disturbing considering that PHP is the dominant server side framework for writing web applications, with about 82% of all websites based on it, according to Imperva. This specific exploit can affect up to 16% of all public websites in the internet.
The security firm said that “while PHP’s power by numbers leads to maturity, documentation and best practices (which eventually means also security) – It also drives hacker’s focus.”
As far as driving focus, it certainly seems to do so. Soon after the exploit was released last fall, Imperva honeypots detected a surge of attacks on web servers with this exploit in “different flavors,” with as many as 30,000 attack campaigns using the exploit. Eventually the exploit was ported into the botnet form that appears to be common today.
So far, Imperva analysis shows that the overall count of attackers from different source IPs is 324, while the overall count of targeted web servers is 272. Most of the attacks originated from the US (35%), France (21%) and Germany (15%). And, the firm has identified 43 different types of payload data in the attacks registered in the honeypot.
The attacks clearly show that companies need to be more diligent in taking appropriate measures to secure their servers, like patching old vulnerabilities.
“Cybercriminals understand the serious gap that exists between the time that a vulnerability is found in the wild, to the time it gets reported then the time the vendor issues a patch (if third party software/framework is in the loop, such as PHP) and finally the time that a company becomes aware of both the issues and the fix – and implement it,” Imperva said. “This creates a window of opportunity for hackers to act on, as they know that the window will be open for a long time.”