PHP Vulnerability Used For Malware And DDOS Attacks

The cybercrime landscape has recently seen multiple threat actors exploiting a known PHP vulnerability. As per recent media reports, the vulnerability is exploited to deliver crypto miners, distributed denial-of-service (DDoS) botnets, and remote access trojans. In this article, we’ll learn more about the PHP vulnerability exploit and what can be done to safeguard against it.

The PHP Vulnerability CVE-2024-4577

The PHP security flaw is currently being dubbed CVE-2024-4577. As of now, the vulnerability has a critical vulnerability severity score (CVSS) of 9.8, making it a severe threat to organizations and individuals.

When a threat actor exploits this PHP vulnerability, it allows them to remotely execute malicious commands on Windows systems. Reports have stated that the language locale used for the executions are Japanese and Chinese.

It’s worth mentioning here that this PHP security flaw was first discovered in June 2024. Cybersecurity researchers from Akamai, providing insights into the PHP vulnerability, have stated that:

“CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP.” The researchers have added that “The vulnerability itself lies in how Unicode characters are converted into ASCII.”

Initial Discovery And Mitigation Protocols

As per the information available, the web infrastructure company has stated that they began to observe the exploits against their honeypot servers. These attempts were aimed at exploiting the flaw and took place within 24 hours of the PHP vulnerability becoming public knowledge.

In addition, the attempts included the delivery of a remote access trojan named Gh0st RAT that was accompanied by crypto miners such as RedTail and XMRig and a DDoS botnet named Muhstik. Providing further insight into the attacks, the cybersecurity researchers stated that:

“The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with ‘%ADd,’ to execute a wget request for a shell script”

The researchers went on to explain that the script is used for making an additional network request to the same Russian-based IP address to retrieve an x86 version of the RedTail crypto-mining malware.

Imperva, another cybersecurity firm, also noticed that the PHP vulnerability was being actively exploited. Based on their insights, Tell You The Pass ransomware actors are believed to be the culprits behind these exploits.

These threat actors distributed a .NET variant of the file-encrypting malware for carrying out their malicious intents. Cybersecurity researchers have gone on to state the timeframe between the public disclosure and the active exploits adds another layer of severity to the attacks.

It’s worth mentioning here that the vulnerability is highly exploitable and has gained quick adoption among threat actors. Given the severity of the vulnerability, and the aftermath if it’s exploited, both individual and organizational users should update their installation to the latest versions as it can help safeguard against threats.

Conclusion

The rapid exploitation of the CVE-2024-4577 PHP vulnerability by threat actors underscores the critical importance of timely updates and proactive cybersecurity measures. Despite the severity of the flaw, updating PHP installations has helped mitigate risks. This incident highlights the necessity for organizations to stay informed and implement security patches promptly to safeguard against evolving cyber threats.

The sources for this piece include articles in The Hacker News and Pure VPN.