Check Point researchers have offered up the details on the new SpeakUp backdoor that has been found on servers in China during the 2019 CPX 360 Cybersecurity Summit and Expo.
The attackers are taking advantage of Think PHP framework vulnerability. The vulnerability CVE number is CVE-2018-20062, this issue is a part in the library thinkphp/library/think/App.php. The manipulation of the argumentCVE-2018-20062
filteras part of a Query String leads to a privilege escalation vulnerability (PHP Code Execution).
The exact identity of the threat actor behind speakup attack is still not confirmed. Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftmanship.