Headline
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It
Cyber Attack / Vulnerability
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.
The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.
“CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP,” Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. “The vulnerability itself lies in how Unicode characters are converted into ASCII.”
The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge.
This included exploits designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik.
“The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with ‘%ADd,’ to execute a wget request for a shell script,” the researchers explained. “This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware.”
Last month, Imperva also revealed that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.
Users and organizations relying on PHP are recommended to update their installations to the latest version to safeguard against active threats.
“The continuously shrinking time that defenders have to protect themselves after a new vulnerability disclosure is yet another critical security risk,” the researchers said. “This is especially true for this PHP vulnerability because of its high exploitability and quick adoption by threat actors.”
The disclosure comes as Cloudflare said it recorded a 20% year-over-year increase in DDoS attacks in the second quarter of 2024, and that it mitigated 8.5 million DDoS attacks during the first six months. In comparison, the company blocked 14 million DDoS attacks for the entirety of 2023.
“Overall, the number of DDoS attacks in Q2 decreased by 11% quarter-over-quarter, but increased 20% year-over-year,” researchers Omer Yoachimik and Jorge Pacheco said in the DDoS threat report for Q2 2024.
The most attacked country during the time period was China, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan. Information technology and services, telecom, consumer goods, education, construction, and food emerged as the top sectors targeted by DDoS attacks.
“Argentina was ranked as the largest source of DDoS attacks in the second quarter of 2024,” the researchers said. “Indonesia followed closely in second place, followed by the Netherlands in third.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are
Gentoo Linux Security Advisory 202408-32 - Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service. Versions greater than or equal to 8.1.29:8.1 are affected.
This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.