Cybercriminals are exploiting a ThinkPHP vulnerability, recently patched in December 2018. The attackers are using exploited systems to then propagate two new botnets – Yowai (variant of Mirai) and Hakai (variant of Gafgyt).
Security researchers from Trend Micro spotted the activity and increased cyber attacks between January 11 and 17 of this month.
“Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS),” Trend Micro noted in a recent blog post.
Yowai botnet
According to Trend Micro, Yowai listens on port 6 and then receives commands from a command-and-control server. After Yowai infects a router, it then leverages a dictionary attack in order to infect other target devices.
The infected routers then become part of a larger botnet the attackers can use to launch DDoS cyber attacks.
Hakai botnet
Trend Micro noted Gafgyt variant botnet Hakai was spotted in the past infecting Internet of Things (IoTs) devices after exploiting router vulnerabilities used to propagate. This latest version appears to be more focused on exploiting vulnerabilities as compared to previous versions targeting telnet bruteforcing if IoT devices.
In summary, cybercriminals are exploiting unpatched vulnerabilities and using Yowai and Hakai to more easily breach web servers and attack websites.
Attackers will continue to develop Mirai-like botnets and target IoT devices with default credentials or older unpatched software.