Multiple Threat Actors Exploit PHP Flaw CVE-2024-4577 to Deliver Malware

Summary:
Multiple threat actors are exploiting the recently disclosed PHP vulnerability CVE-2024-4577 to deliver various malware families, according to the Akamai Security Intelligence Response Team. This vulnerability, which has a CVSS score of 9.8, is a PHP-CGI OS Command Injection flaw in the Best-Fit feature of encoding conversion within the Windows operating system. Attackers can bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences, allowing them to execute arbitrary code on remote PHP servers and take control of vulnerable servers.

Akamai reported that within 24 hours of the vulnerability's disclosure, exploit attempts targeting this flaw were observed on their honeypot network. Malware families being delivered include Gh0st RAT, RedTail cryptominers, and XMRig. Researchers from Shadowserver and GreyNoise also noted multiple actors attempting to exploit this vulnerability since the public availability of a proof-of-concept (PoC) exploit code.

Security Officer Comments:
Akamai also observed the DDoS botnet Muhstik exploiting this vulnerability. The botnet's shell script downloads an ELF file named "pty3" from a different IP address, which is likely a sample of Muhstik malware targeting Internet of Things (IoT) devices and Linux servers for cryptomining and DDoS purposes. The malware connects to the command and control domain and communicates via Internet Relay Chat.

Additionally, a campaign abusing the exploit to deliver XMRig was observed. Attackers injected a command using a PowerShell script to download and execute a script that spins up XMRig from a remote mining pool, then cleans up temporary files for obfuscation.


Suggested Corrections:

IOCs:
https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure


Customers who are using Akamai Adaptive Security Engine in automatic mode and have the Command Injection Attack group set to Deny have mitigations automatically enabled against these types of attacks.

Customers who are using Adaptive Security Engine in manual mode should validate that they have the Command Injection Attack group or the following rules in Deny mode. Depending on the payload, one or more of these rules are mitigating this vulnerability:

  • 969151 v1 — PHP Injection Attack (Opening Tag)
  • 959977 v1 — PHP Injection Attack (Configuration Override)
  • 3000155 v1 — CMD Injection Attack Detected (PHP/Data Filter Detected)
  • 3000171 v3 — Webshell/Backdoor File Upload Attempt

As always, you should frequently check your console for updates and additions to the rule sets. Shortly after the exploits were published, we observed a massive amount of scanning that was seeking to exploit this vulnerability. As with most vulnerabilities with public exploits, the vast majority of requests were from bug bounty hunters and other scanners.


Link(s):
https://securityaffairs.com/165586/hacking/php-flaw-cve-2024-4577-actively-exploited.html

https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure