June 11, 2024 at 10:28AM
TellYouThePass ransomware gang has swiftly exploited the critical CVE-2024-4577 vulnerability in PHP, despite a recent patch. Using publicly available exploit code, they deploy webshells and execute an encryptor payload. By injecting a ransomware variant into memory, they demand 0.1 BTC for decryption. Over 450,000 exposed PHP servers could be vulnerable.
It appears that the TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to carry out attacks. These attacks have been observed shortly after the release of security updates by PHP’s maintainers and have been executed using publicly available exploit code.
The ransomware gang is known for quickly leveraging public exploits, as seen in their previous use of the Apache ActiveMQ RCE and the Log4j exploit to breach companies. In the latest attacks, the gang exploits the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code, using the Windows mshta.exe binary to run a malicious HTML application (HTA) file.
This malicious HTA file contains VBScript with a base64-encoded string that decodes into a binary, loading a .NET variant of the ransomware into the host’s memory. Upon execution, the malware sends an HTTP request to a command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine. It then places a ransom note, “READ_ME10.html,” with instructions for the victim on how to restore their files.
Attacks have been ongoing since June 8, with ransom demands amounting to 0.1 BTC (around $6,700). Reports indicate widespread impact, with multiple websites being affected.
The CVE-2024-4577 vulnerability was discovered on May 7 and a fix was delivered on June 6 in PHP versions 8.3.8, 8.2.20, and 8.1.29. However, a day after the patch was released, proof-of-concept (PoC) exploit code and exploitation attempts were observed.
As of now, there are more than 450,000 exposed PHP servers that could be vulnerable to the CVE-2024-4577 RCE vulnerability, with a significant number of them located in the United States and Germany. Wiz cloud security startup estimates that around 34% of these instances might be vulnerable.
Let me know if you need further details or information.