CVE-2018-1000207: The new MODX vulnerability
Two critical vulnerabilities have been found in MODX Revolution <= 2.6.4 in the past few days. Exploiting it , the hackers can remote code execution so they can compromise the website and modify (spoil/delete) the files and directories. This vulnerability has already got a CVE number: CVE-2018- 1000207.
With a single web request, the attacker can create a custom file name and content through a phpthumb class. Why is it possible? In MODX Revolution 2.6.4 and in the previous versions, the parameters of the user filtering have an incorrect access control vulnerability.
Zero-day botnet starts spreading around
At 26th July at 6 PM, the flow has been started according to our data. This botnet is really aggressive, as, in the first 6 hours, we detected almost 13.000 attacks!
The peak was at 22 PM on the same day and since then, the number of attacks started to decrease, but don’t believe that’s it’s over.
Analyzing the incidents
Here is a screenshot from the BitNinja Dashboard about one of the attacker IP:
Looking through these logs, we are sure that you could find the pattern by yourself. The bot is scanning the /assets/components/gallery/connector.php continuously. Let’s investigate a log from a little bit closer:
In the first 17 hours, 29% of the attacks came from the US. The Top5 attacking countries are the following:
Examining only these 5 countries, the US is responsible for 50% of the attacks as you can see from the graph below.
How to be protected against MODX Revolution <= 2.6.4 Remote Code Execution?
BitNinja is always up-to-date for the zero-day attacks and vulnerabilities. We’ve implemented a brand-new development, the Attack Vector Miner for your safety. We are not only detecting the new botnets but also offering an direct protection against them.
Here are the first logs detected by the "403001 Modx Revolution < 2.6.4 - Remote Code Execution - CVE-2018-1000207" WAF rule:
Need help with it? Have questions? Leave us a comment!
Stay safe dear Fellow Ninja!