Summary: Cisco Talos has uncovered a sophisticated cyberattack campaign targeting various Japanese industries, actively exploiting a vulnerability in PHP-CGI for remote code execution. The attacks include credential theft, privilege escalation, and deployment of persistent backdoors facilitated by the Cobalt Strike toolkit. Despite similarities to previous hacker group tactics, the attackersβ identities remain unconfirmed.
Affected: Organizations across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan
Keypoints :
- Exploitation of CVE-2024-4577 vulnerability in PHP-CGI on Windows for unauthorized access.
- Deployment of a PowerShell script for establishing reverse HTTP shells and extensive post-exploitation activities.
- Use of command-and-control servers hosted on Alibaba Cloud for remote operations and information gathering.