Alibaba Cloud's Cloud Firewall has been able to defend against the attacks from multiple botnets that exploit the ThinkPHP v5 vulnerability.

Recently, Alibaba Cloud Security team detected that several cryptocurrency miner botnets have begun to exploit the new ThinkPHP vulnerability to propagate themselves. BuleHero is a botnet that exploits multiple security vulnerabilities and controls Windows servers to mine cryptocurrency, posing critical security threats to business. Systems with the ThinkPHP v5 vulnerability are prone to infection by BuleHero and Sefa. Once a system is infected, worms are spread on internal networks, posing critical security threats to enterprises' internal networks. BuleHero and Sefa can also control servers to mine cryptocurrency, affecting the normal running of business.

For more information about the threat and the malicious links, see Threat Alert: Multiple Cryptocurrency Miner Botnets Start to Exploit the New ThinkPHP Vulnerability.

Rule type: Worm attack

Risk level: High

Cloud Firewall has been able to defend against such attacks. We recommend that you enable intrusion prevention policies in the Cloud Firewall console.