Critical zero-day vulnerability in MODX Revolution patched by BitNinja WAF
Eniko Toth

Critical zero-day vulnerability in MODX Revolution patched by BitNinja WAF

Content Management Systems (CMS) are highly vulnerable to zero-day attacks recently. Lately, the Drupal was picked on by the hackers. Now the ModX CMS is in the target.

CVE-2018-1000207: The new MODX vulnerability

Two critical vulnerabilities have been found in MODX Revolution <= 2.6.4 in the past few days. Exploiting it  , the hackers can remote code execution so they can compromise the website and modify (spoil/delete) the files and directories. This vulnerability has already got a CVE number: CVE-2018- 1000207.

With a single web request, the attacker can create a custom file name and content through a phpthumb class. Why is it possible? In MODX Revolution 2.6.4 and in the previous versions, the parameters of the user filtering have an incorrect access control vulnerability.

Zero-day botnet starts spreading around

At 26th July at 6 PM, the flow has been started according to our data. This botnet is really aggressive, as, in the first 6 hours, we detected almost 13.000 attacks!

The peak was at 22 PM on the same day and since then, the number of attacks started to decrease, but don’t believe that’s it’s over.

Analyzing the incidents

Here is a screenshot from the BitNinja Dashboard about one of the attacker IP:

Looking through these logs, we are sure that you could find the pattern by yourself. The bot is scanning the /assets/components/gallery/connector.php continuously. Let’s investigate a log from a little bit closer:

Attacking countries

In the first 17 hours, 29% of the attacks came from the US. The Top5 attacking countries are the following:

United States
United Kingdom

Examining only these 5 countries, the US is responsible for 50% of the attacks as you can see from the graph below.

How to be protected against MODX Revolution <= 2.6.4 Remote Code Execution?

BitNinja is always up-to-date for the zero-day attacks and vulnerabilities. We’ve implemented a brand-new development, the Attack Vector Miner for your safety. We are not only detecting the new botnets but also offering an direct protection against them.

Don’t let CVE-2018-1000207 compromising your servers! With BitNinja Pro, you only have to do is enable the 403001 WAF rule on the Dashboard.

Here are the first logs detected by the "403001 Modx Revolution < 2.6.4 - Remote Code Execution - CVE-2018-1000207" WAF rule:

Need help with it? Have questions? Leave us a comment!

Stay safe dear Fellow Ninja!

Share your ideas with us about this article

Previous posts

Journey through Europe with a Trabant-Ninjas are breaking the record
We are checking in with an unusual article. We would like to share an upcoming story about a great Journey, which will start on 28th of July. Why is it worth mentioning? Well, one member of this great Adventure is one of our Ninjas, and we’re really proud of him. They will travel around Northern Europe with a Trabant 601 car in 30 days. Breaking the record No one in this world has traveled this distance (7000KM = 4 349.59 miles ) with a Trabant (which only has a 2-stroke engine). This car sooner or later will be counted as a veteran. The adventure has a charity aspect as well, w...
Attack Vector Miner – AI Technology for Detecting Zero-Day Attacks
Artificial Intelligence (AI) is spreading quickly in many industries, and we can gladly announce the Attack Vector Miner, one of our latest developments based on AI. But before we tell you more about that, let’s get a bit more familiar with AI. If you’re an AI expert, know everything about it, and are only curious about the Attack Vector Miner, just scroll down to the last paragraph. History of AI It’s not a new thing that machines “stole” people’s jobs; let’s think about the steam engine, the calculator, or the PC. But trends today show that we’d like to delegate even more tasks to mach...