TellYouThePass Ransomware Gang Exploits New PHP RCE Flaw to Infiltrate Servers

June 11, 2024

The TellYouThePass ransomware group has been taking advantage of the recently patched CVE-2024-4577 remote code execution (RCE) vulnerability in PHP to infiltrate servers, deploy webshells, and execute the encryptor payload on the targeted systems. The attacks began on June 8, less than two days after PHP's maintainers released security updates, and utilized publicly accessible exploit code. The ransomware group is notorious for promptly utilizing public exploits for vulnerabilities with a broad impact. In November, they used an Apache ActiveMQ RCE in attacks and in December 2021 they adopted the Log4j exploit to infiltrate companies.

In the most recent attacks observed by Imperva's cybersecurity researchers, TellYouThePass exploited the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code. They used the Windows mshta.exe binary to run a malicious HTML application (HTA) file that contains a VBScript with a base64-encoded string. This string decodes into a binary, loading a .NET variant of the ransomware into the host's memory. After execution, the malware sends an HTTP request to a command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine. It then leaves a ransom note, 'READ_ME10.html,' with instructions for the victim on how to restore their files. Victims of TellYouThePass attacks have been reported since June 8 and the ransom note demanded 0.1 BTC (around $6,700) for the decryption key. One user whose website-hosting computer was encrypted discovered that the TellYouThePass ransomware campaign had affected multiple websites.

CVE-2024-4577 is a critical RCE vulnerability that affects all PHP versions since 5.x. The vulnerability, which results from unsafe character encoding conversions on Windows when used in CGI mode, was discovered on May 7 by Devcore's Orange Tsai, who reported it to the PHP team. A fix was released on June 6 with the release of PHP versions 8.3.8, 8.2.20, and 8.1.29. On Friday, a day after the patch, WatchTowr Labs released proof-of-concept (PoC) exploit code for CVE-2024-4557. The same day, The Shadowserver Foundation observed exploitation attempts on their honeypots. According to a report from Censys, there are over 450,000 exposed PHP servers that could be vulnerable to the CVE-2024-4577 RCE vulnerability, most of them located in the United States and Germany. Wiz cloud security startup gave a more specific estimate of how many of those instances might be vulnerable, putting the number to around 34%.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.