FOCUS MODE
EXTRACT IOC
Threat Research

Technical Advisory: Mass Exploitation of CVE-2024-4577

Securonix
Technical Advisory: Mass Exploitation of CVE-2024-4577
In June 2024, Bitdefender Labs highlighted a critical security vulnerability (CVE-2024-4577) in PHP affecting Windows systems in CGI mode, allowing remote code execution through manipulated character encoding. This vulnerability has seen an increase in exploitation attempts, especially in Taiwan and Hong Kong, with attackers also modifying firewall settings to block known malicious IPs. Notable activities include cryptojacking, use of remote access tools, and deployment of various malware types. Affected: Windows, PHP, Taiwan, Hong Kong, Brazil, Japan, India

Keypoints :

  • Bitdefender issued an advisory regarding CVE-2024-4577, a severe argument injection vulnerability in PHP.
  • This vulnerability allows remote attackers to execute arbitrary code through character encoding manipulations.
  • Exploitation attempts have surged, particularly in Taiwan and Hong Kong.
  • Attackers are modifying firewall settings on compromised servers to block access to known malicious IPs.
  • Observations of competition between cryptojacking groups for control over compromised servers.
  • Common tactics used by attackers include basic vulnerability checks, system reconnaissance, and deployment of cryptominers like XMRig.
  • Bitdefender recommends upgrading to the latest PHP versions to mitigate the vulnerability.
  • Organizations should consider limiting the use of PowerShell to privileged users to prevent unauthorized access.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Use of PowerShell for downloading malicious scripts from C2 servers.
  • T1059.001 – Command and Scripting Interpreter: Execution of commands using cmd.exe and PowerShell for reconnaissance and exploitation.
  • T1105 – Ingress Tool Transfer: Downloading XMRig miner from compromised web servers using curl.
  • T1486 – Data Encrypted for Impact: Use of remote access tools for potential ransomware deployment.
  • T1193 – Spear Phishing Link: Initial access through open vulnerabilities in PHP.
  • T1218.011 – Signed Binary Proxy Execution: Use of legitimate tools like git.exe for assessing and exploiting server vulnerabilities.

Indicator of Compromise :

  • [Domain] oldschool[.]best
  • [IP Address] 159.100.22[.]58
  • [IP Address] 185.208.158[.]206
  • [IP Address] 176.65.137[.]85
  • [IP Address] 1.255.85[.]176

Full Story: https://www.bitdefender.com/en-us/blog/businessinsights/technical-advisory-update-mass-exploitation-cve-2024-4577

Tags: BOTNET, PHISHING, FIREWALL, IMPACT, RECONNAISSANCE, PROXY, PATCH, WINDOWS