Cybercriminals are actively exploiting a significant security flaw in PHP to distribute cryptocurrency miners and remote access trojans (RATs) such as Quasar RAT. This vulnerability, identified as CVE-2024-4577, is an argument injection flaw in PHP affecting Windows systems operating in CGI mode, potentially allowing attackers to execute arbitrary code remotely.

Exploitation Details and Geographic Impact

According to cybersecurity firm Bitdefender, there has been a noticeable increase in exploitation attempts targeting CVE-2024-4577 since late last year. The majority of these attempts have been concentrated in Taiwan (54.65%), followed by Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).

Methods of Exploitation

Approximately 15% of the detected attempts involve basic vulnerability checks using commands like "whoami" and "echo <test_string>." Another 15% focus on system reconnaissance activities, including process enumeration, network discovery, and gathering user and domain information.

  • XMRig Deployment: Around 5% of attacks have resulted in the deployment of the XMRig cryptocurrency miner.
  • Nicehash Miners: A smaller campaign involved deploying Nicehash miners, disguised as legitimate applications like javawindows.exe, to avoid detection.

Use of Remote Access Tools

Attackers have also exploited this vulnerability to deliver remote access tools such as the open-source Quasar RAT. Additionally, they have executed malicious Windows installer (MSI) files hosted on remote servers using cmd.exe.

Unusual Defensive Tactics

Interestingly, Bitdefender observed attempts to modify firewall configurations on compromised servers to block access to known malicious IPs. This behavior suggests that rival cryptojacking groups are competing for control over vulnerable resources, preventing re-exploitation by other attackers. This tactic aligns with previous observations where cryptojacking attacks terminate rival miner processes before deploying their own payloads.

Recent Developments and Recommendations

This activity follows Cisco Talos's disclosure of a campaign leveraging the PHP flaw against Japanese organizations earlier this year. To mitigate these threats, users are advised to update their PHP installations to the latest version.

Given the frequent use of living-off-the-land (LOTL) tools in these campaigns, organizations should restrict the use of tools like PowerShell to privileged users, such as administrators, to enhance security.

The link has been copied!