Miori IoT botnet spreads through PHP framework RCE vulnerability

Attackers are using a variant of the infamous Mirai IoT botnet dubbed “Miori” to exploit a Remote Code Execution (RCE) vulnerability in ThinkPHP, a free open-source PHP framework. 

According to Trend Micro, the vulnerability exploit is relatively new and details of the exploit had recently surfaced December 11, 2018. The exploit impacts ThinkPHP versions prior to 5.0.23 and 5.1.31 and was patched by ThinkPHP on December 9th. 

Miori will start Telnet to brute force other IP addresses.

“It also listens on port 42352 (TCP/UDP) for commands from its C&C server. It then sends the command ‘/bin/busybox MIORI’ to verify infection of targeted system,” Trend Micro noted in the report

Two other Mirai variant with similar characteristics to Miori were also discovered to include IZ1H9 and APEP. Similar to other Mirai variants, attackers will attempt to brute force devices using default or weak passwords. APEP also exploits another RCE vulnerability (CVE-2017-17215), that impacts Huawei HG532 router devices. 

Trend Micro also predicted last week that malicious actors would likely abuse the ThinkPHP exploit.

True to form, ZDNet reported last Friday that tens of thousands of Chinese websites have been attacked via the new ThinkPHP framework vulnerability. The attacks started soon after a proof-of-concept (POC) code was posted online by Chinese cyber-security firm VulnSpy. 

Trend Micro and a number of other security firms, to include F5 Labs, GreyNoise and NewSky Security, also reported malicious scans in the wild coming from the IoT botnet. 

F5 Labs warned that users should be aware the pattern of attacks are similar to those used to quickly exploit other similar RCE bugs, such as Apache Struts 2 (CVE-2017-5638) from March of last year.

To combat these types of threats, enterprises and users should make sure device passwords and configurations are changed from the factory defaults, a common threat vector attackers use to exploit connected devices.

Users should also regularly update their devices to the latest software (such as latest ThinkPHP updates) or firmware versions to address patched vulnerabilities as well.