PHP Weakness Utilized to Spread Malware and Initiate DDoS Offensives
Various threat actors have been spotted taking advantage of a recently exposed security vulnerability in PHP to distribute remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.
The weakness in focus is CVE-2024-4577 (CVSS score: 9.8), which permits an attacker to remotely execute malevolent commands on Windows systems employing Chinese and Japanese language locales. It was openly disclosed in early June 2024.
“CVE-2024-4577 is a flaw enabling an attacker to evade the command line and transmit arguments to be interpreted directly by PHP,” Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg explained in a Wednesday analysis. “The weakness is rooted in how Unicode characters are transformed into ASCII.”
The web infrastructure company stated it detected exploit trials against its honeypot servers targeting the PHP weakness within 24 hours of its public disclosure.
This encompassed exploits engineered to deliver a remote access trojan named Gh0st RAT, cryptocurrency miners such as RedTail and XMRig, and a DDoS botnet labeled Muhstik.
“The attacker submitted a request akin to previous RedTail operations, exploiting the soft-hyphen flaw with ‘%ADd,’ to initiate a wget request for a shell script,” the researchers detailed. “This script initiates an additional network request to the same IP address in Russia to retrieve an x86 version of the RedTail crypto-mining malware.”
Imperva also publicized last month that TellYouThePass ransomware operators are leveraging CVE-2024-4577 to disperse a .NET version of the file-encrypting malware.
Individuals and organizations relying on PHP are advised to upgrade their installations to the latest edition to defend against active threats.
“The diminishing timeframe that defenders possess to shield themselves following a new vulnerability disclosure is an additional significant security peril,” the researchers highlighted. “This holds particularly true for this PHP weakness owing to its high exploitability and swift adoption by threat actors.”
The revelation coincides with Cloudflare’s announcement of a 20% year-on-year escalation in DDoS attacks in the second quarter of 2024, with 8.5 million DDoS assaults mitigated during the initial six months. In contrast, the company thwarted 14 million DDoS attacks throughout the entire 2023.
“In general, the count of DDoS attacks in Q2 diminished by 11% from the prior quarter, yet increased by 20% from the previous year,” researchers Omer Yoachimik and Jorge Pacheco expressed in the DDoS threat report for Q2 2024.
China held the top spot as the most targeted country during that period, trailed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyzstan. Information technology, telecom, consumer goods, education, construction, and food were identified as the principal sectors under fire from DDoS attacks.
“Argentina positioned as the primary source of DDoS attacks in the second quarter of 2024,” the researchers mentioned. “Indonesia came in second, succeeded by the Netherlands in third.”
About Author
