Multiple threat actors are exploiting a newly disclosed security flaw in PHP to distribute remote access trojans, cryptocurrency miners, and DDoS botnets. The vulnerability, identified as CVE-2024-4577 (CVSS score: 9.8), allows attackers to execute malicious commands on Windows systems using Chinese and Japanese language locales. This flaw, publicly disclosed in early June 2024, enables command line escape and direct argument interpretation by PHP.
Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg revealed in a Wednesday analysis that CVE-2024-4577 stems from improper conversion of Unicode characters to ASCII. They observed exploit attempts against their honeypot servers within 24 hours of the vulnerability’s public disclosure, including delivery of the Gh0st RAT, RedTail and XMRig cryptocurrency miners, and the Muhstik DDoS botnet.
The attackers used a soft hyphen flaw with ‘%ADd’ to execute a wget request for a shell script, leading to further network requests to retrieve an x86 version of the RedTail crypto-mining malware. Last month, Imperva reported that TellYouThePass ransomware actors are also exploiting CVE-2024-4577 to distribute a .NET variant of the file-encrypting malware.
Users and organizations relying on PHP should update to the latest version to defend against these active threats. Akamai researchers emphasized the shrinking time defenders have to protect themselves after a new vulnerability disclosure, highlighting the high exploitability and quick adoption by threat actors of this particular PHP vulnerability.
CVE-2024-4577: PHP 8.1.* before 8.1.29, 8.2.* 8.2.20, 8.3.* 8.3.8, when using Apache and PHP-CGI on Windows. allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP on server.
PoChttps://t.co/xKYp4HO6Tg pic.twitter.com/igClTRitEK
— Cyber Advising (@cyber_advising) June 10, 2024
In related news, Cloudflare reported a 20% year-over-year increase in DDoS attacks in the second quarter of 2024, mitigating 8.5 million attacks in the first half of the year. China, Turkey, Singapore, and Hong Kong were among the most targeted countries, while Argentina was the largest source of DDoS attacks.
Given the rapid exploitation of CVE-2024-4577, it’s crucial for users to update PHP installations immediately to prevent potential security breaches.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
