_Vladimir_Stanisic_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 12, 2024 at 11:50AM
TellYouThePass, a ransomware group, is targeting businesses and individuals using open source Web development languages, exploiting a critical PHP vulnerability (CVE-2024-4577) for remote code execution. This allows them to execute arbitrary code on vulnerable servers, posing significant risks. They also use various attack techniques and exploit known vulnerabilities such as Log4j to evade detection.
Key Takeaways from the Meeting Notes:
1. TellYouThePass is a ransomware group actively exploiting known vulnerabilities in open source web development languages, including the recent critical CVE-2024-4577 PHP bug, to conduct ransomware attacks on both Windows and Linux systems.
2. The group has been leveraging the CVE-2024-4577 vulnerability to execute arbitrary PHP code on target systems, utilizing the ‘system’ function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary.
3. TellYouThePass utilizes various attack methods, with recent malware variants delivered as .NET samples using HTML applications. The initial infection is carried out via an HTA file containing malicious VBScript, and the ransomware then sends an HTTP request to the command-and-control (C2) server upon execution.
4. Organizations can mitigate the exploit of the CVE-2024-4577 PHP flaw and reduce the risk of ransomware attacks by patching affected systems, disabling PHP with CGI mode enabled, being aware of assets and applications in the environment, and using web firewall technology and reliable anti-virus programs for defense against malware campaigns.
5. Specific recommendations include patching affected systems to address CVE-2024-4577, considering migration to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM, and implementing best practices such as maintaining awareness of assets and applications and using effective web firewall and anti-virus solutions for defense.
Let me know if you need further assistance or additional information.