On October 22, security researcher Omar Ganiev published a tweet regarding remote code execution vulnerability in PHP-FPM (the FastCGI Process Manager) running on the Nginx server. The tweet includes a link to a GitHub repository with an explanation of the vulnerability and a PoC (proof-of-concept) for its exploitation.
Vulnerable PHP versions are prior to PHP 7.3.11 (current stable), PHP 7.2.24 and PHP 7.1.33 (old stable). More details about the vulnerability can be found here.
A short timeline of the chain of events:
- September 24: Github project opened
- September 26: Vulnerability submitted
- September 27: The first attack observed in Imperva CDN
- October 21: Official vulnerability patch release
- October 22: Tweet posted by the researcher
- October 24 – Now: Media coverage
This timeline is unusual, however. As we had already had a mitigation rule in place before the attack was published, we had full visibility of the attacks, which allowed us to track them in the wild from the moment they began. In most cases, we would expect to see the release of a patch, followed by a PoC, before we started seeing attacks in the wild.
Surprisingly, however, we found that exploits using the same script were carried out long before the release of the official patch. Though we can’t tell if it started as a private project or when the official patch was published, we can see on Github that the project was created on September 24. The early exploits, dating back to September 27, have a similar trace to the GitHub PoC, based on the unique HTTP payloads and the attacking application.
The first attempts to exploit the vulnerability used a VPN to cover the original IP and were from a single source to a single destination. After the public disclosure, we observed typical epidemical behavior – multiple early-adopters trying to scan the web for unpatched software.
First attack attempt, Shodan source-IP information
It’s also interesting to note the evolution of the variety of tools used to carry out the attack. While the original Github PoC was written in the Go language, we observed multiple different clients during the days following the release, indicating the emergence of variants to the original exploit. Some of the later attempts were made by browsers, probably as manual tests.
|Day||Attacking tools||Number of Distinct IPs||Number of Distinct Sites||Number of Malicious Requests|
|2019-10-27||GoLang, Python, cURL, Tor Browser, Chrome, Firefox||39||105||9946|
|2019-10-26||GoLang, Python, cURL, Tor Browser, Chrome, Firefox||14||100||12897|
|2019-10-25||GoLang, Python, cURL, Tor Browser, WebKit||13||66||6942|
|2019-10-24||GoLang, Python, cURL||22||143||50067|
|2019-10-23||GoLang, Python, cURL, Wget BusyBox, Firefox||30||45||4087|
Not surprisingly, the early-adopter-attacking IPs originate from Russia, USA and China. The rise of Vietnam on the map is pretty unusual, however.
|Country Code||Number of Malicious Requests|
Fortunately, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF.
And, going forward, they can rest assured that our Threat Research team will keep tracking this and other 0-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.