Multiple malicious actors have been observed exploiting a recently revealed vulnerability in PHP to distribute remote access trojans, cryptocurrency miners, and launch distributed denial-of-service (DDoS) attacks.
The vulnerability in question is known as CVE-2024-4577 (CVSS score: 9.8), which enables attackers to execute unauthorized commands on Windows systems using Chinese and Japanese language settings. It was publicly disclosed in early June 2024.
According to an analysis by Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg, “CVE-2024-4577 allows an attacker to evade command line restrictions and inject commands directly into PHP. The root of the flaw lies in the conversion of Unicode characters into ASCII.”
The web infrastructure company reported that attempts to exploit this PHP vulnerability began appearing within 24 hours of its disclosure, targeting their honeypot servers.
These attempts included methods to deploy the Gh0st RAT remote access trojan, cryptocurrency miners such as RedTail and XMRig, and a DDoS botnet named Muhstik.
“The attacker used a request resembling those seen in previous RedTail operations, exploiting the soft hyphen vulnerability with ‘%ADd,’ to trigger a wget request for a shell script,” the researchers detailed. “This script then initiates another network request to a Russian IP address to fetch an x86 version of the RedTail crypto-mining malware.”
In a recent announcement, Imperva disclosed that the CVE-2024-4577 vulnerability is also being leveraged by ransomware actors associated with TellYouThePass to distribute a .NET variant of their file-encrypting malware.
Users and organizations reliant on PHP are strongly advised to update their installations to the latest version as a precaution against active threats.
“The narrowing window for defenders to secure themselves following the disclosure of a new vulnerability poses a significant security challenge,” emphasized the researchers. “This is particularly pertinent for the PHP vulnerability due to its high exploitability and rapid adoption by threat actors.”
The disclosure coincides with Cloudflare reporting a 20% year-over-year increase in DDoS attacks during the second quarter of 2024, having mitigated 8.5 million DDoS attacks in the first half of the year. By comparison, the company had blocked 14 million DDoS attacks throughout the entirety of 2023.
“Overall, there was an 11% decrease in DDoS attacks in Q2 compared to the previous quarter, yet a 20% increase year-over-year,” highlighted researchers Omer Yoachimik and Jorge Pacheco in the Q2 2024 DDoS threat report.
Additionally, known DDoS botnets were responsible for half of all HTTP DDoS attacks. Fake user agents and headless browsers (29%), suspicious HTTP attributes (13%), and general floods (7%) constituted other notable vectors for HTTP DDoS attacks.
China emerged as the most targeted country during this period, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan. The sectors most heavily targeted by DDoS attacks included information technology and services, telecommunications, consumer goods, education, construction, and food and beverage.
“Argentina ranked highest as the source of DDoS attacks in Q2 2024,” noted the researchers. “Indonesia closely followed in second place, with the Netherlands coming in third.”