CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Ransomware

Ransomware Group Exploits PHP Vulnerability Days After Disclosure

The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure. The post Ransomware Group Exploits PHP Vulnerability Days After Disclosure appeared first on SecurityWeek.

Vulnerability exploited

A recent PHP vulnerability leading to remote code execution started being exploited in ransomware attacks days after its public disclosure, cybersecurity firm Imperva reports.

The bug, tracked as CVE-2024-4577, impacts Windows servers using Apache and PHP-CGI, when the system configuration allows for the use of certain code pages, allowing attackers to inject arguments and execute arbitrary code.

The root cause of the issue is that the PHP implementation did not consider Windows’ ‘Best-Fit’ behavior, which controls the conversion of Unicode characters to the closest matching ANSI characters.

Because of this oversight, attackers can supply specific character sequences that will be converted and supplied to the php-cgi module, which may misinterpret them as PHP options and pass them to the binary being run.

CVE-2024-4577 affects all PHP versions on Windows, including the discontinued versions 8.0, 7, and 5, and was addressed last week with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8.

Roughly two days after PHP rolled out patches and publicly disclosed the vulnerability, the TellYouThePass ransomware gang started exploiting vulnerable servers in attacks, Imperva says.

“As we analyzed attacks exploiting this vulnerability, we noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system,” Imperva says.

The threat actors were seen executing arbitrary PHP code on the target machines and then using the ‘system’ function to run an HTML application file from a remote web server.

The attackers deploy the TellYouThePass ransomware as a .NET executable, which is loaded directly into memory.

Once executed, the malware establishes communication with its command-and-control (C&C) server, then enumerates directories, stops running processes, generates the required encryption keys, and starts encrypting files with specific extensions.

Active since 2019, the TellYouThePass ransomware has been targeting both businesses and individuals, mainly in attacks exploiting Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604) vulnerabilities.

Related: Why Hackers Love Logs

Related: Arm Warns of Exploited Kernel Driver Vulnerability

Related: Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Latest News

CYBERNEWSMEDIAPublisher