Cybercriminals are exploiting vulnerabilities in the ThinkPHP open source framework to expand the Hakai and Yowai botnets.
The botnets can be used to breach web servers and launch DDoS attacks against websites using a vulnerability in the framework's invokeFunction method to execute malicious code on the underlying server, Trend Micro researchers said in a Jan. 25 blog post.
The remotely exploitable vulnerability which allowed threat actors to gain control over the servers was patched in December last year after Chinese cybersecurity firm VulnSpy developed a proof-of-concept exploit.
“Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS),” the post said. “Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from January 11 to 17.”
Once the Yowai botnet infects the router it uses dictionary attack in an attempt to infect other devices while the affected router becomes part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.
Researchers said the Hakai sample they observed explored flaws that may have remained unpatched in the system and and that as more botnet codes become available and exchanged online they expect to see more competing Mirai-like botnets in these kind of intrusions.
In addition these botnets are beginning to develop similar resilience to that of malware attacks as they go after the increasing number of IoT devices released with default credentials.