In recent cybersecurity news, a critical remote code execution (RCE) vulnerability in PHP-CGI on Windows systems is being exploited by unknown attackers. This vulnerability, known as CVE-2024-4577, allows the attackers to execute arbitrary PHP code on servers using Apache with a vulnerable PHP-CGI setup. The primary targets of these attackers are organizations in Japan across various sectors including technology, telecommunications, entertainment, education, and e-commerce.
The attackers are utilizing a publicly available Python exploit script to gain initial access by checking for the CVE-2024-4577 vulnerability. Once they exploit this vulnerability, they execute a PowerShell command embedded in PHP code, which then downloads and runs a PowerShell injector script from a command and control (C2) server. According to a report from Cisco Talos, this script injects and executes Cobalt Strike reverse HTTP shellcode, giving the attackers remote access to the victim’s machine.
Following the initial exploitation, the attackers employ post-exploitation activities using plugins from the Cobalt Strike “TaoWu” kit. These activities include reconnaissance, privilege escalation, and persistence. Tools like JuicyPotato, RottenPotato, and SweetPotato are used for privilege escalation, and registry keys are modified and scheduled tasks created for persistence. The attackers also conduct network reconnaissance using tools like “fscan.exe” and “Seatbelt.exe” to identify potential targets for lateral movement. Additionally, they attempt to abuse Group Policy Objects (GPOs) to execute malicious scripts across the network and use Mimikatz to dump and exfiltrate passwords and NTLM hashes from memory. To avoid detection, they clear Windows event logs using “wevtutil.exe.”
Furthermore, the attackers have been observed misusing legitimate tools and frameworks hosted on an Alibaba cloud container registry. They deploy a suite of adversarial tools including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus using a pre-configured installer script. These tools, typically used for offensive security testing, are now being repurposed for malicious activities. While the tactics of these attackers bear similarities to known hacker groups, attribution remains uncertain.
The ongoing exploitation of public-facing applications for initial access underscores the importance of patching vulnerabilities and implementing robust security measures. Organizations are advised to prioritize securing their PHP-CGI implementations and monitoring for any suspicious activity to mitigate these evolving threats.
Given the severity of the situation, it is crucial for organizations to stay vigilant and proactive in enhancing their cybersecurity defenses to safeguard against such attacks. As cyber threats continue to evolve, it is imperative for businesses to stay updated on the latest vulnerabilities and security best practices to ensure the protection of their digital assets.