A flaw in the PHP code used by most websites, including Facebook, Yahoo and Wikipedia, is being exploited by hackers, according to Imperva researchers.
Imperva reported detecting a campaign targeting a vulnerability in PHP with an automated wave of cyber attacks in its Hacker Intelligence Initiative [PDF] report. Imperva's web research team leader Tal Be'ery explained to V3 the vulnerability being exploited stems from a flaw in PHP's Superglobal mechanism.
"By injecting a value into an internal variable, in this case by using PHP's Superglobal mechanism, the attacker is able to change the application flow and execute arbitrary commands to take control over the server. In the attack we researched, the attackers used a vulnerability in PHPMyAdmin, a popular database management app to inject commands via a vulnerability in its handling of the Session Superglobal," explained Be'ery.
"Combined with an additional vulnerability in some PHP versions, which allowed the storing and extracting of the Session in an unsafe manner, it enabled the attacker to run arbitrary code on the infected server and take full control over it."
Be'ery said the vulnerability is particularly dangerous due to the common use of PHP and could be used by hackers for a variety of purposes. "PHP code is powering most of the web (80 percent), including high-profile sites such as Facebook, Yahoo, Baidu and Wikipedia. Since the attack is automated by nature we believe that the attackers had attempted to hack into major sites as well as smaller sites," he said.
"Server takeover [grants the attacker] full control over the server's resources, including, but not limited to, access to all of the app users' stored data, enslaving the infected server to be a ‘soldier' in a botnet and storing an infection code on the server and infecting the site's users with malware."
The Imperva report revealed the attackers have been targeting the vulnerability with increased tenacity for several months and have already used it to hack several big-name companies.
"Over the course of a month, our research team witnessed 144 attacks per application (within a sample of 24 applications) that contained attack vectors related to Superglobal parameters," read the report.
"These attacks appeared in the form of request burst floods – we have seen peaks of over 20 hits per minute, reaching up to 90 hits per minute, on a single application. Some attack campaigns spanned over a period of more than five months. One of the attack sources was a compromised server belonging to an Italian bank."
Be'ery cited the campaign as further proof that criminals are developing new more sophisticated ways to attack businesses. "I think it's evidence for the general evolution of the web threat landscape, as it shows that attackers are capable of mounting complex attacks which consist of combining multiple vulnerabilities in different products and packaging them into simple-to-use tools. I believe we will see more combined attacks in the near future," said Be'ery.
The Imperva researcher said businesses can protect themselves in a variety of ways. These include implementing an application layer mechanism capable of looking for different types of security violations on the company network, bluntly blocking Superglobal parameters in requests and avoiding reliance on third-party code, like the PHPMyAdmin (PMA) utility used in the latest exploit.
The PHP campaign is one of many advanced attacks uncovered in recent months. Trend Micro researchers last month detected a spike in the numbers of criminal groups using Java native-layer vulnerabilities to infiltrate businesses and government systems.