PHP vulnerability is exploited to spread malware and launch DDoS attacks

PHP vulnerability is exploited to spread malware and launch DDoS attacks

July 11, 2024Press releaseCyber ​​attack/security gap

Several threat actors have been observed exploiting a recently disclosed vulnerability in PHP to deliver remote access Trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.

The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems with Chinese and Japanese language settings. It was publicly disclosed in early June 2024.

“CVE-2024-4577 is a bug that allows an attacker to leave the command line and pass arguments to be interpreted directly by PHP,” said Akamai researchers Kyle Lefton, Allen West and Sam Tinklenberg in an analysis on Wednesday. “The vulnerability itself lies in how Unicode characters are converted to ASCII.”

Internet security

The web infrastructure company said it began monitoring exploit attempts against its honeypot servers within 24 hours of the PHP vulnerability becoming known.

These included exploits for delivering a remote access trojan called Gh0st RAT, cryptocurrency miners such as RedTail and XMRig, and a DDoS botnet called Muhstik.

“The attacker sent a request similar to others in previous RedTail operations, abusing the soft hyphen flaw with ‘%ADd’ to execute a Wget request for a shell script,” the researchers explained. “This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware.”

Last month, Imperva also announced that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.

Users and organizations that rely on PHP are advised to update their installations to the latest version to protect against active threats.

“The ever-decreasing time defenders have to protect themselves after a new vulnerability is disclosed is another critical security risk,” the researchers said. “This is especially true for this PHP vulnerability, as it is easily exploitable and quickly adopted by threat actors.”

Internet security

The disclosure comes after Cloudflare reported a 20% year-over-year increase in DDoS attacks in the second quarter of 2024, blocking 8.5 million DDoS attacks in the first six months. In comparison, the company blocked 14 million DDoS attacks in all of 2023.

“Overall, the number of DDoS attacks decreased by 11% in the second quarter compared to the previous quarter, but increased by 20% year-on-year,” said researchers Omer Yoachimik and Jorge Pacheco in the DDoS Threat Report for Q2 2024.

The most attacked country during this period was China, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan and Kyrgyzstan. Information technology and services, telecommunications, consumer goods, education, construction and food were found to be the sectors most affected by DDoS attacks.

“Argentina was ranked as the largest source of DDoS attacks in the second quarter of 2024,” the researchers said. “Indonesia followed closely behind in second place, followed by the Netherlands in third place.”

Did you find this article interesting? Follow us on Þjórsárdalur and LinkedIn to read more exclusive content we publish.