PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Multiple threat actors are exploiting a newly disclosed security flaw in PHP to distribute remote access trojans, cryptocurrency miners, and DDoS botnets. The vulnerability, identified as CVE-2024-4577 (CVSS score: 9.8), allows attackers to execute malicious commands on Windows systems using Chinese and Japanese language locales. This flaw, publicly disclosed in early June 2024, enables command line escape and direct argument interpretation by PHP.

via GIPHY

Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg revealed in a Wednesday analysis that CVE-2024-4577 stems from improper conversion of Unicode characters to ASCII. They observed exploit attempts against their honeypot servers within 24 hours of the vulnerability’s public disclosure, including delivery of the Gh0st RAT, RedTail and XMRig cryptocurrency miners, and the Muhstik DDoS botnet.

The attackers used a soft hyphen flaw with ‘%ADd’ to execute a wget request for a shell script, leading to further network requests to retrieve an x86 version of the RedTail crypto-mining malware. Last month, Imperva reported that TellYouThePass ransomware actors are also exploiting CVE-2024-4577 to distribute a .NET variant of the file-encrypting malware.

Users and organizations relying on PHP should update to the latest version to defend against these active threats. Akamai researchers emphasized the shrinking time defenders have to protect themselves after a new vulnerability disclosure, highlighting the high exploitability and quick adoption by threat actors of this particular PHP vulnerability.

In related news, Cloudflare reported a 20% year-over-year increase in DDoS attacks in the second quarter of 2024, mitigating 8.5 million attacks in the first half of the year. China, Turkey, Singapore, and Hong Kong were among the most targeted countries, while Argentina was the largest source of DDoS attacks.

Given the rapid exploitation of CVE-2024-4577, it’s crucial for users to update PHP installations immediately to prevent potential security breaches.

Share This Article

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Thankyou for Subscribing Us!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Thank you for your feedback!

Similar Posts