A ransomware group known as TellYouThePass has been exploiting a critical vulnerability in the PHP scripting language to launch remote code execution attacks targeting both Windows and Linux systems. This threat group, active since 2019, has a history of targeting known vulnerabilities, particularly those found in open source web development languages such as Apache Log4j (CVE-2021-44228) and Apache ActiveMQ Server RCE bug (CVE-2023-46604).

The latest campaign by TellYouThePass involves exploiting a critical remote code execution vulnerability in PHP, identified as CVE-2024-4577, which was discovered earlier this month. Security researchers have observed attempts by the group to upload webshells and deploy ransomware on target systems using this exploit.

PHP, similar to Java, is widely used in web development, making vulnerabilities in this language attractive to attackers. The exploitation of the CVE-2024-4577 vulnerability highlights the risks associated with such flaws and the potential for widespread attacks on organizations.

The vulnerability in question, CVE-2024-4577, is an argument-injection flaw related to character-encoding errors in PHP, with a particular impact on the “Best Fit” feature in Windows systems. Researchers have confirmed that the vulnerability can allow malicious actors to execute arbitrary code on vulnerable servers.

Proof-of-concept exploit scripts for CVE-2024-4577 have been released, demonstrating the ease with which the bug can be exploited. TellYouThePass has been quick to leverage this vulnerability to execute arbitrary PHP code on target systems, using the ‘system’ function to run malicious applications hosted on attacker-controlled servers.

TellYouThePass, identified by security researchers in 2019, has evolved its ransomware tactics over the years. The recent variants of the malware are .NET samples delivered via HTML applications, with initial infections carried out using malicious HTA files containing VBScript.

Once executed, the ransomware enumerates directories, kills processes, generates encryption keys, and encrypts files with specific extensions. The victims are then provided with a ReadMe message in the Web root directory, outlining instructions on how to respond to the attack.

To mitigate the exploit of CVE-2024-4577 and avoid ransomware attacks, organizations are advised to patch affected systems promptly. Disabling PHP’s CGI mode and migrating to more secure architectures like Mod-PHP, FastCGI, or PHP-FPM can also reduce the risk of exploitation.

Furthermore, organizations should maintain strong awareness of their assets and applications, patch any vulnerabilities promptly, implement web firewall technologies, and use reliable antivirus programs to defend against malware campaigns like TellYouThePass. By following these best practices, organizations can enhance their security posture and protect themselves from ransomware threats.

Source link