June 12, 2024 at 05:06AM
Cybersecurity firm Imperva reports the exploitation of a recent PHP vulnerability, CVE-2024-4577, in ransomware attacks just days after its public disclosure. The bug impacts Windows servers using Apache and PHP-CGI and was addressed with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8. The TellYouThePass ransomware gang was observed exploiting this vulnerability.
Key Takeaways from Meeting Notes:
1. PHP vulnerability (CVE-2024-4577) impacting Windows servers using Apache and PHP-CGI has been exploited in ransomware attacks shortly following its public disclosure.
2. The vulnerability arises due to an oversight in the PHP implementation, which allows attackers to inject arguments and execute arbitrary code by supplying specific character sequences.
3. The vulnerability affects all PHP versions on Windows, including discontinued versions 8.0, 7, and 5, and was addressed with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8.
4. The TellYouThePass ransomware gang was observed exploiting the vulnerability for various attacks, including WebShell upload attempts and placing ransomware on target systems.
5. The ransomware is loaded as a .NET executable and, once executed, establishes communication with its command-and-control (C&C) server, enumerates directories, stops processes, generates encryption keys, and encrypts files with specific extensions.
6. TellYouThePass ransomware has been active since 2019 and has targeted both businesses and individuals, particularly exploiting vulnerabilities in Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604).
Please let me know if you need any additional information or further analysis.