Ransomware named TellYouThePass frequently attacks unprotected PHP servers
CVE-2024-4577: Widespread Ransomware Attacks Exploiting Critical PHP Vulnerability
A critical remote code execution flaw in PHP, identified as CVE-2024-4577, is currently being actively exploited by threat actors, including ransomware groups such as TellYouThePass. This vulnerability, related to PHP CGI argument injection, has a public proof-of-concept (PoC) exploit available, making it easily exploitable in the wild.
The impact of this vulnerability is significant. Attackers can execute code remotely on affected PHP CGI installations, often leading to complete system compromise. The TellYouThePass ransomware campaign has reportedly used CVE-2024-4577 to gain initial access and escalate privileges for encrypting victim systems.
The vulnerability poses a high risk due to its ease of exploitation via available PoCs and the severity of impact. Security researchers and organizations strongly recommend urgent patching of affected PHP versions as soon as updates are released. Some vendors have already begun releasing patches or mitigations, but the specific version details depend on PHP distributions.
Users running PHP in CGI mode should ensure to update to the fixed versions and apply best practices such as disabling unnecessary CGI modules and limiting exposure to untrusted input.
As of Thursday, about 1,000 infected hosts have been observed, mainly located in China. The number of observed infections is down from about 1,800 as of June 10. Researchers at Imperva first detected TellYouThePass ransomware being deployed to exploit the vulnerability.
The threat actors seem to be mass scanning the internet, rather than targeting any specific organizations. It's worth noting that TellYouThePass ransomware has previously leveraged vulnerabilities in Apache Log4j (CVE-2021-44228) and a vulnerability in Apache ActiveMQ (CVE-2023-46604).
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday. As the situation evolves, it's crucial for organizations to monitor vendor updates and apply patches without delay to secure their PHP environments against this vulnerability.
For more information on the patches released by PHP, including versions 8.3.8, 8.2.20, and 8.1.29, please refer to the official PHP website. Stay vigilant and prioritize security measures to protect your digital assets.
[1] CVE-2024-4577: Critical Remote Code Execution Flaw in PHP [5] CVE-2024-4577: PHP RCE Vulnerability Under Active Exploitation
- The ongoing ransomware attacks, such as those by TellYouThePass, are exploiting the critical PHP vulnerability, CVE-2024-4577, which has a high risk due to its ease of exploitation and the potential for severe system compromise.
- The PHP vulnerability, CVE-2024-4577, being actively exploited, requires immediate attention from both security researchers and organizations, as compromised systems can lead to the deployment of ransomware like TellYouThePass, highlighting the importance of up-to-date cybersecurity measures in technology.
