New PHP RCE Vulnerability (CVE-2024-4577) Exploited by TellYouThePass Ransomware Gang: Mitigation Recommended

United States of America
Affects all versions of PHP on Windows in CGI mode due to unsafe character encoding conversions
Discovered by Orange Tsai of Devcore, reported to PHP team on May 7, patched on June 6
New PHP RCE vulnerability (CVE-2024-4577) exploited by TellYouThePass ransomware gang
Over 450,000 exposed PHP servers could be vulnerable
Ransomware delivered using a malicious HTA file and disguised as a CSS resource request
TellYouThePass attackers have been exploiting the vulnerability since June 8
New PHP RCE Vulnerability (CVE-2024-4577) Exploited by TellYouThePass Ransomware Gang: Mitigation Recommended

A recent vulnerability in the PHP programming language, tracked as CVE-2024-4577, has been exploited by the TellYouThePass ransomware gang to infect servers and encrypt files.

Discovered by Orange Tsai of Devcore, the vulnerability affects all versions of PHP on Windows when used in CGI mode due to unsafe character encoding conversions. It was reported to the PHP team on May 7 and patched with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8 on June 6.

Despite the patch being available for over a week, TellYouThePass attackers have been exploiting the vulnerability to deliver webshells and execute their encryptor payload on targeted servers.

According to cybersecurity firm Imperva, attacks started on June 8 and relied on publicly available exploit code. The ransomware is delivered using a malicious HTML application (HTA) file that uses the Windows mshta.exe binary to load a .NET variant of the ransomware into memory.

Once executed, the malware sends an HTTP request to its command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine.

The TellYouThePass ransomware gang is known for quickly adopting public exploits for vulnerabilities with a wide impact. In November 2023, they used an Apache ActiveMQ RCE vulnerability in attacks, and in December 2021, they adopted the Log4j exploit to breach companies.

According to Censys, there are over 450,000 exposed PHP servers that could be vulnerable to the CVE-2024-4577 RCE vulnerability. Wiz estimates around 34% of those instances might be vulnerable.

It is strongly recommended that all PHP servers on Windows using CGI mode are updated to the latest version as soon as possible to mitigate this risk.



Confidence

100%

No Doubts Found At Time Of Publication

Sources

99%

  • Unique Points
    • Ransomware attackers have quickly weaponized a PHP programming language vulnerability with a severity rating of 9.8 out of 10.
    • TellYouThePass ransomware strain has infected over 1,000 servers as of Thursday.
    • Servers primarily located in China have been affected by the attack.
    • The vulnerability stems from errors in the way PHP converts Unicode characters into ASCII and can be exploited using argument injection.
    • Exploits allow attackers to bypass a critical code execution vulnerability patched in PHP in 2012.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (95%)
    The author does not demonstrate any clear bias in the article. However, there is a disproportionate number of quotes and mentions of servers located in China and Japan due to the vulnerability affecting those locales specifically.
    • Enlarge / The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable.
      • The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      99%

      • Unique Points
        • CVE-2024-4577 is an OS command injection vulnerability in Windows-based PHP in CGI mode.
        • All versions of PHP installed on the Windows operating system in CGI mode are affected, as well as those with the PHP executable binary exposed in the CGI directory.
        • The flaw allows attackers to bypass protections for an older PHP vulnerability (CVE-2012-1823) using specific character sequences.
        • Greynoise has revealed that attackers are trying to deliver a variety of malicious payloads, including a Gh0st RAT variant and Cobalt Strike beacons.
      • Accuracy
        • Attackers use known exploit for CVE-2024-4577 to execute arbitrary PHP code and run an HTML application file hosted on an attacker-controlled web server via mshta.exe binary.
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (100%)
        None Found At Time Of Publication
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      96%

      • Unique Points
        • The bug, tracked as CVE-2024-4577, impacts Windows servers using Apache and PHP-CGI when the system configuration allows for the use of certain code pages.
        • TellYouThePass ransomware is deployed as a .NET executable, loaded directly into memory.
        • Once executed, the malware establishes communication with its command-and-control server, then enumerates directories, stops running processes, generates encryption keys and starts encrypting files with specific extensions.
        • TellYouThePass ransomware has been targeting both businesses and individuals since 2019, mainly in attacks exploiting Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-203-46604) vulnerabilities.
      • Accuracy
        • The vulnerability was addressed with the release of PHP versions 8.1.29, 8.2.20, and 8.3.8 last week.
        • Attackers use living off the land technique and mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server.
        • The number of infected sites has fluctuated from a low of 670 to a high of 1,800 since the attacks began.
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (85%)
        The article contains an appeal to authority and a potential false dilemma. The author cites cybersecurity firm Imperva as the source of information about the ransomware attacks and the vulnerability's exploitation. Additionally, there might be a false dilemma in stating that 'all PHP versions on Windows, including the discontinued versions 8.0, 7, and 5' are affected by CVE-2024-4577.
        • Cybersecurity firm Imperva reports...
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication

      95%

      • Unique Points
        • TellYouThePass ransomware gang is exploiting the CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute the encryptor payload.
        • CVE-2024-4577 is a critical RCE vulnerability that impacts all PHP versions since 5.x due to unsafe character encoding conversions on Windows in CGI mode.
        • The vulnerability was discovered by Devcore's Orange Tsai and reported to the PHP team on May 7.
        • There are over 450,000 exposed PHP servers that could be vulnerable to the CVE-2024-4577 RCE vulnerability, most of them located in the United States and Germany.
        • Wiz estimates around 34% of those instances might be vulnerable.
      • Accuracy
        • Attacks started less than 48 hours after the release of security updates by PHP’s maintainers.
        • TellYouThePass ransomware uses publicly available exploit code for new vulnerabilities with a wide impact.
        • The vulnerability was discovered by Devcore’s Orange Tsai and reported to the PHP team on May 7.
        • A fix was delivered on June 6 with the release of PHP versions 8.3.8, 8.2.20, and 8.1.29.
        • WatchTowr Labs released proof-of-concept exploit code for CVE-2024-4577 on the same day a patch was released and observed exploitation attempts on their honeypots.
      • Deception (100%)
        None Found At Time Of Publication
      • Fallacies (85%)
        The article contains an appeal to authority and a potential overgeneralization. It mentions the ransomware's past behavior of quickly exploiting public vulnerabilities, but doesn't provide specific evidence for this claim beyond citing previous incidents. Additionally, it references a specific percentage of vulnerable instances based on an estimate from Wiz cloud security startup, which could be seen as an inflammatory rhetorical device.
        • ] The TellYouThePass ransomware is known for quickly jumping on public exploits for vulnerabilities with a wide impact. Last November they used an Apache ActiveMQ RCE in attacks and in December 2021 they adopted the Log4j exploit to breach companies.
        • Wiz cloud security startup gave a more specific estimate of how many of those instances might be vulnerable, putting the number to around 34%.
      • Bias (100%)
        None Found At Time Of Publication
      • Site Conflicts Of Interest (100%)
        None Found At Time Of Publication
      • Author Conflicts Of Interest (100%)
        None Found At Time Of Publication