CVE-2024-4577 PHP Vulnerability Exploited by TellYouThePass Ransomware Group

A recently identified vulnerability in PHP, designated as CVE-2024-4577, has become the target of exploitation by a ransomware group shortly after its disclosure. Cybersecurity firm Imperva highlights the exploitation trend, revealing that the vulnerability affects Windows servers utilizing Apache and PHP-CGI configurations.

Essentially, the flaw permits attackers to inject arguments and execute arbitrary code when certain code pages are enabled, due to PHP's oversight of Windows' 'Best-Fit' behavior. This loophole allows specific character sequences to be misinterpreted as PHP options, potentially leading to the execution of unauthorized code.

The impact of CVE-2024-4577 spans across various PHP versions on Windows systems, including older versions like 8.0, 7, and 5, prompting swift action from PHP with the release of patched versions 8.1.29, 8.2.20, and 8.3.8. However, within days of PHP's disclosure and patch release, the TellYouThePass ransomware group commenced exploiting vulnerable servers, as observed by Imperva. The attacks were multifaceted, involving attempts to upload WebShells and deploy ransomware onto targeted systems.

In these attacks, threat actors executed arbitrary PHP code on compromised machines, leveraging the 'system' function to initiate the execution of HTML application files from remote servers. The ransomware deployed by the TellYouThePass group is a .NET executable, loaded directly into memory upon execution. Upon establishing communication with its command-and-control server, the malware proceeds to enumerate directories, halt running processes, generate encryption keys, and encrypt files with specific extensions.

The TellYouThePass ransomware group, active since 2019, has a history of targeting both businesses and individuals. Previous exploits include leveraging vulnerabilities in Apache Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604) to perpetrate attacks. With the exploitation of CVE-2024-4577, they add another tool to their arsenal, underscoring the ongoing challenges posed by vulnerabilities in widely-used software systems.