Introduction
A sophisticated cyber-intrusion campaign has been identified [2] [5], primarily targeting organizations in Japan across various sectors [1] [4], including technology [1], telecommunications [1] [2] [5], entertainment [1] [2] [5], education [1] [2] [5], and e-commerce [1] [2] [5]. This campaign exploits a critical vulnerability in PHP on Windows servers, allowing attackers to gain unauthorized access and execute malicious activities.
Description
A sophisticated cyber-intrusion campaign has been identified [2] [5], primarily targeting organizations in Japan across various sectors [1] [4], including technology [1], telecommunications [1] [2] [5], entertainment [1] [2] [5], education [1] [2] [5], and e-commerce [1] [2] [5]. The attackers exploited CVE-2024-4577 [2] [5], a critical remote code execution (RCE) vulnerability in the PHP-CGI implementation of PHP on Windows [1] [2] [3] [5], particularly affecting servers using Apache with a vulnerable PHP-CGI setup [3]. This vulnerability allows for the execution of arbitrary PHP code on compromised servers, enabling the attackers to gain initial access to victim networks.
Upon successful exploitation [2] [3] [5], the attackers executed a PowerShell command to download and run a PowerShell injector script from their command-and-control (C2) servers [3], which contained Cobalt Strike reverse HTTP shellcode [1] [2] [3]. Once the shellcode was injected into the victim machine’s memory [3], it established a connection to the attackers’ C2 servers, facilitating persistent remote access to the compromised systems. The attack involved several key stages [5], including the use of a publicly available Python exploit script [5], PHP-CGICVE-2024-4577RCE.py [2] [5], to identify vulnerabilities [2] [5]. Successful exploitation led to the injection of PowerShell commands [2] [5], which initiated a payload download from the attackers’ C2 server [5].
Privilege escalation was achieved using exploits such as JuicyPotato [2] [5], RottenPotato [1] [2] [5], and SweetPotato [1] [2] [5], allowing the attackers to gain SYSTEM-level access. They employed tools like Ladon.exe to bypass User Account Control (UAC) and execute payloads discreetly [2], along with SharpTask.exe [2], SharpHide.exe [2] [3] [5], and SharpStay.exe for registry manipulation and establishing persistent services [2] [5]. To maintain persistence [1], the attackers modified registry keys, created scheduled tasks [1], and utilized Cobalt Strike plugins [1], including the “TaoWu” kit, which features various tools for post-exploitation activities. They evaded detection by clearing Windows event logs using wevtutil commands and conducted network reconnaissance using tools like fscan.exe and Seatbelt.exe [2]. Credential theft was performed via Mimikatz to extract NTLM hashes and plaintext passwords from memory [5], facilitating lateral movement within the network by exploiting Group Policy Objects (GPOs) and executing commands to gather additional credentials [1].
The attackers operated from two C2 servers hosted on Alibaba Cloud [1], with IP addresses 38.14.255.23 and 118.31.18.77 [3]. Notably, the C2 server at 38.14.255.23 had exposed directory listings and root folder access to the internet [3]. They deployed containers to run pre-configured installer scripts that downloaded various offensive security tools and frameworks [5], indicating the potential for malicious use [3]. Notable tools included Blue-Lotus [5], a JavaScript webshell for cross-site scripting (XSS) and browser exploitation [5], BeEF [5], a browser exploitation framework [5], and Viper C2 [5], a modular control framework for payload execution across platforms [5]. While some tactics resembled those of the You Dun (Dark Cloud Shield) hacker group [2] [5], no definitive attribution has been established due to a lack of further activity after credential harvesting [1].
Conclusion
This incident underscores the critical need for organizations to promptly address vulnerabilities such as CVE-2024-4577 by applying patches and implementing robust security measures. Mitigation strategies include restricting PowerShell execution through group policies [5], monitoring logs for unauthorized registry modifications [2] [5], and deploying endpoint detection and response (EDR) solutions to identify Cobalt Strike activity [2] [5]. The campaign highlights the growing trend of threat actors exploiting public-facing applications [2] [5], necessitating increased vigilance and proactive defense strategies to counter evolving cyber threats.
References
[1] https://blog.talosintelligence.com/new-persistent-attacks-japan/
[2] https://ciso2ciso.com/attackers-target-japanese-firms-with-cobalt-strike-source-www-infosecurity-magazine-com/
[3] https://news.backbox.org/2025/03/06/unmasking-the-new-persistent-attacks-on-japan/
[4] https://www.hendryadrian.com/unmasking-the-new-persistent-attacks-on-japan/
[5] https://www.infosecurity-magazine.com/news/attackers-japan-cobalt-strike/
