A recent PHP vulnerability leading to remote code execution started being exploited in ransomware attacks days after its public disclosure, cybersecurity firm Imperva reports.
The bug, tracked as CVE-2024-4577, impacts Windows servers using Apache and PHP-CGI, when the system configuration allows for the use of certain code pages, allowing attackers to inject arguments and execute arbitrary code.
The root cause of the issue is that the PHP implementation did not consider Windows’ ‘Best-Fit’ behavior, which controls the conversion of Unicode characters to the closest matching ANSI characters.
Because of this oversight, attackers can supply specific character sequences that will be converted and supplied to the php-cgi module, which may misinterpret them as PHP options and pass them to the binary being run.
CVE-2024-4577 affects all PHP versions on Windows, including the discontinued versions 8.0, 7, and 5, and was addressed last week with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8.
Roughly two days after PHP rolled out patches and publicly disclosed the vulnerability, the TellYouThePass ransomware gang started exploiting vulnerable servers in attacks, Imperva says.
“As we analyzed attacks exploiting this vulnerability, we noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system,” Imperva says.
The threat actors were seen executing arbitrary PHP code on the target machines and then using the ‘system’ function to run an HTML application file from a remote web server.
The attackers deploy the TellYouThePass ransomware as a .NET executable, which is loaded directly into memory.
Once executed, the malware establishes communication with its command-and-control (C&C) server, then enumerates directories, stops running processes, generates the required encryption keys, and starts encrypting files with specific extensions.
Active since 2019, the TellYouThePass ransomware has been targeting both businesses and individuals, mainly in attacks exploiting Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604) vulnerabilities.
Related: Why Hackers Love Logs
Related: Arm Warns of Exploited Kernel Driver Vulnerability
Related: Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
