"While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread [..] More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China," the threat intelligence firm said, warning that at least 79 exploits are available online. While Talos observed the attackers attempting to steal credentials, it believes their goals extend beyond just credential harvesting, based on post-exploitation activities, which include establishing persistence, elevating privileges to SYSTEM level, deployment of adversarial tools and frameworks, and usage of "TaoWu" Cobalt Strike kit plugins. A day after PHP maintainers released CVE-2024-4577 patches on June 7, 2024, WatchTowr Labs released proof-of-concept (PoC) exploit code, and the Shadowserver Foundation reported observing exploitation attempts. However, as GreyNoise reported, the threat actors behind this malicious activity cast a much wider net by targeting vulnerable devices globally, with significant increases observed in the United States, Singapore, Japan, and other countries since January 2025. Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation. GreyNoise's warning comes after Cisco Talos revealed earlier that an unknown attacker had exploited the same PHP vulnerability to target Japanese organizations since at least early January 2025. The TellYouThePass ransomware gang also started exploiting the vulnerability to deploy webshells and encrypt victims' systems less than 48 hours after patches were released in June 2024. Tracked as CVE-2024-4577, this PHP-CGI argument injection flaw was patched in June 2024 and affects Windows PHP installations with PHP running in CGI mode. Previously, CVE-2024-4577 was exploited by unknown attackers who backdoored a university's Windows systems in Taiwan with newly discovered malware dubbed Msupedge. Successful exploitation enables unauthenticated attackers to execute arbitrary code and leads to complete system compromise following successful exploitation. In January alone, its worldwide network of honeypots known as Global Observation Grid (GOG) spotted 1,089 unique IP addresses attempting to exploit this PHP security flaw.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 11 Mar 2025 14:30:09 +0000