Connect with us

Hi, what are you looking for?



Ransomware Group Exploits PHP Vulnerability Days After Disclosure

The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure.

PHP vulnerability exploited

A recent PHP vulnerability leading to remote code execution started being exploited in ransomware attacks days after its public disclosure, cybersecurity firm Imperva reports.

The bug, tracked as CVE-2024-4577, impacts Windows servers using Apache and PHP-CGI, when the system configuration allows for the use of certain code pages, allowing attackers to inject arguments and execute arbitrary code.

The root cause of the issue is that the PHP implementation did not consider Windows’ ‘Best-Fit’ behavior, which controls the conversion of Unicode characters to the closest matching ANSI characters.

Because of this oversight, attackers can supply specific character sequences that will be converted and supplied to the php-cgi module, which may misinterpret them as PHP options and pass them to the binary being run.

CVE-2024-4577 affects all PHP versions on Windows, including the discontinued versions 8.0, 7, and 5, and was addressed last week with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8.

Roughly two days after PHP rolled out patches and publicly disclosed the vulnerability, the TellYouThePass ransomware gang started exploiting vulnerable servers in attacks, Imperva says.

“As we analyzed attacks exploiting this vulnerability, we noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system,” Imperva says.

The threat actors were seen executing arbitrary PHP code on the target machines and then using the ‘system’ function to run an HTML application file from a remote web server.

Advertisement. Scroll to continue reading.

The attackers deploy the TellYouThePass ransomware as a .NET executable, which is loaded directly into memory.

Once executed, the malware establishes communication with its command-and-control (C&C) server, then enumerates directories, stops running processes, generates the required encryption keys, and starts encrypting files with specific extensions.

Active since 2019, the TellYouThePass ransomware has been targeting both businesses and individuals, mainly in attacks exploiting Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604) vulnerabilities.

Related: Why Hackers Love Logs

Related: Arm Warns of Exploited Kernel Driver Vulnerability

Related: Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights