Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,187
- Points
- 113
Akamai researchers revealed what their servers faced after the launch of CVE-2024-4577.
A recently discovered vulnerability in PHP has become a target for several attackers who use it to deliver remote access Trojans, cryptocurrency miners,and DDoS botnets.
RCE vulnerability CVE-2024-4577, rated 9.8 on the CVSS scale, allows attackers to remotely execute malicious commands on Windows systems with Chinese and Japanese localization. This problem was first reported in early June 2024.
Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg noted in a recent report that this vulnerability allows attackers to bypass the command line and pass arguments that are interpreted directly by PHP. The problem is converting Unicode characters to ASCII.
Experts reported that attempts to exploit this vulnerability were noticed on their Honeypot servers within 24 hours after the public disclosure. Among the identified attacks are the delivery of the remote access Trojan Gh0st RAT, cryptominers RedTail and XMRig, as well as a DDoS botnet called Muhstik.
Akamai specialists also explained that the attacker sent a request similar to the previously noticed RedTail operations, using a vulnerability with a soft hyphen to execute the wget command that downloads the shell script. This script then made an additional network request to get the x86 version of the RedTail cryptominer.
Last month, Imperva also reported that the vulnerability CVE-2024-4577 is being used by attackers to distribute the TellYouThePass ransomware in the form of a malicious program .NET versions of the cryptographer. Users and organizations using PHP are advised to update their installations to the latest version to protect against active threats.
The researchers separately noted that the reduced time that defenders have left after new vulnerabilities are discovered is a serious security threat. This is especially true for this vulnerability in PHP due to its high exploitability and rapid development by attackers.
Source
A recently discovered vulnerability in PHP has become a target for several attackers who use it to deliver remote access Trojans, cryptocurrency miners,and DDoS botnets.
RCE vulnerability CVE-2024-4577, rated 9.8 on the CVSS scale, allows attackers to remotely execute malicious commands on Windows systems with Chinese and Japanese localization. This problem was first reported in early June 2024.
Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg noted in a recent report that this vulnerability allows attackers to bypass the command line and pass arguments that are interpreted directly by PHP. The problem is converting Unicode characters to ASCII.
Experts reported that attempts to exploit this vulnerability were noticed on their Honeypot servers within 24 hours after the public disclosure. Among the identified attacks are the delivery of the remote access Trojan Gh0st RAT, cryptominers RedTail and XMRig, as well as a DDoS botnet called Muhstik.
Akamai specialists also explained that the attacker sent a request similar to the previously noticed RedTail operations, using a vulnerability with a soft hyphen to execute the wget command that downloads the shell script. This script then made an additional network request to get the x86 version of the RedTail cryptominer.
Last month, Imperva also reported that the vulnerability CVE-2024-4577 is being used by attackers to distribute the TellYouThePass ransomware in the form of a malicious program .NET versions of the cryptographer. Users and organizations using PHP are advised to update their installations to the latest version to protect against active threats.
The researchers separately noted that the reduced time that defenders have left after new vulnerabilities are discovered is a serious security threat. This is especially true for this vulnerability in PHP due to its high exploitability and rapid development by attackers.
Source
