Cybercriminals are exploiting a newly disclosed flaw in PHP to deliver a variety of malicious programs such as cryptocurrency miners, remote access trojans (RATs), and distributed denial-of-service (DDoS) botnets.
Identified as CVE-2024-4577 with a CVSS score of 9.8, the vulnerability allows attackers to remotely execute harmful commands on Windows systems configured with Chinese and Japanese language locales.
Critical Flaw in PHP
“CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP,” Akamai’s cybersecurity experts Allen West, Sam Tinklenberg, and Kyle Lefton explained. The vulnerability stems from how Unicode characters are incorrectly converted to ASCII.
Exploitation and Consequences
Within just 24 hours of its disclosure, cybercriminals began exploiting the vulnerability. Among the malicious payloads deployed are the Gh0st RAT, known for its stealth and dangerous control features, and cryptocurrency miners like RedTail and XMRig. A DDoS botnet named Muhstik has also been linked to this exploit, demonstrating the versatility of the threat.
Gh0st RAT sample (Source: Akamai)
In a notable attack vector, “The attacker sent a request similar to the others seen in previous RedTail operations, abusing the soft hyphen flaw with ‘%ADd,’ to execute a wget request for a shell script,” the researchers noted. This script subsequently contacts a Russia-based server to download the RedTail cryptocurrency miner.
Moreover, Imperva reported that the TellYouThePass ransomware group is using CVE-2024-4577 to distribute a .NET version of their ransomware, showcasing the vulnerability’s broad appeal to various cybercriminal factions.
Broader Implications
The disclosure of CVE-2024-4577 comes at a time when Cloudflare reports a 20% increase in DDoS attacks compared to the previous year. Countries like China, Turkey, and Singapore, along with sectors like technology and education, have been particularly affected.
Most attacked countries in 2024 Q2 (Source: Cloudflare)
Furthermore, the researchers noted that Argentina led as the primary source of DDoS attacks during the second quarter of 2024. Indonesia was a close second, with the Netherlands ranking third in the list.
Final Word
Organizations and individuals relying on PHP are strongly advised to update their systems to the latest available version to protect against these immediate threats.