Ransomware known as TellYouThePass excessively attacks PHP instances that are vulnerable
Breaking News: Active Exploitation of PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
A public proof-of-concept (PoC) exploit for the PHP CGI Argument Injection vulnerability (CVE-2024-4577) has been made available, making it actively exploitable over the network with low attack complexity and no privileges or user interaction required. This vulnerability, first discovered by Devcore, has a CVSS score of 9.8, allowing an attacker to achieve remote code execution.
The vulnerability has been in the sights of the notorious TellYouThePass ransomware group since at least June 7. While no definitive link ties this ransomware group specifically with widespread active exploitation reported publicly, the occurrence of payloads leveraging CVE-2024-4577 confirms at least some active exploitation attempts consistent with ransomware threat actor tactics.
According to recent reports, the attackers have been targeting Linux systems, despite the vulnerability theoretically applying to PHP running in CGI mode on Windows systems. This discrepancy suggests either a mistake or an unusual attack vector.
As of Thursday, about 1,000 hosts infected with this vulnerability have been observed, with the majority located in China. The direct impact on the U.S. is currently limited, with a peak of 39 compromised hosts compared to a high of 962 compromised hosts in China.
The TellYouThePass ransomware, which has been in existence since at least 2019, has previously leveraged vulnerabilities in Apache Log4j (CVE-2021-44228) and Apache ActiveMQ (CVE-2023-46604).
PHP has released patched versions, including 8.3.8, 8.2.20, and 8.1.29 on June 6. Organizations using PHP in CGI mode are advised to apply patches immediately and consider mitigating controls due to the vulnerability’s severity and active exploitation.
The threat is affecting a broad range of users, including individual personal website maintainers and enterprise websites. The number of observed infections has decreased from about 1,800 as of June 10, but the threat actors are mass scanning the internet, rather than targeting specific organizations.
Researchers from Palo Alto Networks and Censys have also confirmed active exploitation activity as of June 11. It is crucial for all PHP users to stay vigilant, monitor for suspicious activity, and apply threat intelligence related to ransomware trends.
[1] CVE-2024-4577: PHP CGI Argument Injection Vulnerability [4] TellYouThePass Ransomware Group Exploiting PHP CGI Argument Injection Vulnerability [5] PHP Releases Patches for Active Exploit CVE-2024-4577
The TellYouThePass ransomware group has shown interest in exploiting the PHP CGI Argument Injection Vulnerability (CVE-2024-4577), a critical vulnerability with a CVSS score of 9.8 that allows for remote code execution. The active exploitation of this vulnerability, first discovered by Devcore, could potentially lead to cybersecurity threats due to the low attack complexity and ease of network exploitation.
Organizations utilizing PHP in CGI mode should prioritize applying patrols and consider additional cybersecurity measures to mitigate the risks associated with this ongoing exploitation by ransomware groups such as TellYouThePass.
