PHP Flaw Exploited by Threat Actors to Disseminate Malware and Initiate DDoS Attacks

July 11, 2024

A security flaw in PHP, known as CVE-2024-4577, is being exploited by various threat actors to spread remote access trojans, cryptocurrency miners, and initiate distributed denial-of-service (DDoS) botnets. This vulnerability, which has a CVSS score of 9.8, allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.

According to Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg, "CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP. The vulnerability itself lies in how Unicode characters are converted into ASCII." The company started noticing exploit attempts against its honeypot servers targeting the PHP flaw within a day of it becoming public knowledge.

Among the exploits observed were those designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik. The researchers explained, "The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with '%ADd,' to execute a wget request for a shell script. This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware."

In addition, last month, cybersecurity company Imperva reported that the PHP vulnerability is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware. To protect against these active threats, users and organizations that rely on PHP are advised to update their installations to the latest version. "The continuously shrinking time that defenders have to protect themselves after a new vulnerability disclosure is yet another critical security risk," the researchers warned, adding that this is particularly true for this PHP vulnerability due to its high exploitability and rapid adoption by threat actors.

This disclosure is made as Cloudflare reported a 20% year-on-year increase in DDoS attacks in the second quarter of 2024, with 8.5 million DDoS attacks mitigated during the first six months. For comparison, the company blocked 14 million DDoS attacks throughout 2023. Researchers Omer Yoachimik and Jorge Pacheco observed in the DDoS threat report for Q2 2024 that "Overall, the number of DDoS attacks in Q2 decreased by 11% quarter-over-quarter, but increased 20% year-over-year." The countries most targeted by these attacks were China, Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan, with the most targeted sectors being information technology and services, telecom, consumer goods, education, construction, and food. According to the researchers, "Argentina was ranked as the largest source of DDoS attacks in the second quarter of 2024, followed by Indonesia and then the Netherlands."

Related News

• TellYouThePass Ransomware Gang Exploits New PHP RCE Flaw to Infiltrate Servers
• Critical Remote Code Execution Vulnerability in PHP Could Impact Millions of Servers
• Critical Remote Code Execution Vulnerability in PHP for Windows: All Versions Impacted

Latest News

• VMware Addresses High-Severity SQL-Injection Vulnerability in Aria Automation Product
• Critical Vulnerability in GitLab Allows Attackers to Execute Pipelines as Other Users
• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• Longstanding Windows Zero-Day Exploited for Over a Year
• Citrix Addresses Critical and High-Severity Bugs in NetScaler Product