Exploitation of PHP Vulnerability CVE-2024-4577 Sparks Major Malware and DDoS Attacks

In a troubling development, multiple cyber threat actors have been actively exploiting a recently disclosed security vulnerability in PHP, designated as CVE-2024-4577. This critical flaw, with a CVSS score of 9.8, allows attackers to remotely execute malicious commands on Windows systems that use Chinese and Japanese language locales. The vulnerability, publicly disclosed in early June 2024, has led to a significant increase in malware distribution and DDoS attacks.

Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg explained in their analysis that CVE-2024-4577 allows attackers to bypass the command line and directly interpret arguments in PHP due to issues with Unicode-to-ASCII conversion. This flaw has been swiftly exploited by attackers, as evidenced by honeypot servers detecting exploit attempts within 24 hours of the vulnerability's public disclosure.

These exploit attempts include the delivery of a variety of malicious payloads, such as the Gh0st RAT remote access trojan, cryptocurrency miners like RedTail and XMRig, and the Muhstik DDoS botnet. Attackers have been observed using a soft hyphen flaw to execute a wget request for a shell script, which then retrieves and installs the RedTail crypto-mining malware from a Russia-based IP address.

Adding to the concern, Imperva reported last month that the same vulnerability is being exploited by actors distributing a .NET variant of the TellYouThePass ransomware. This highlights the broad adoption of the exploit by various cybercriminal groups.

Organizations using PHP are strongly advised to update their installations to the latest version to protect against these active threats. The rapid exploitation of this vulnerability underscores the shrinking window defenders have to act following a new vulnerability disclosure.

In related news, Cloudflare has reported a 20% increase in DDoS attacks in the second quarter of 2024 compared to the same period last year. The company mitigated 8.5 million DDoS attacks in the first half of 2024 alone. While the overall number of DDoS attacks in Q2 decreased by 11% from the previous quarter, the year-over-year increase remains a significant concern.

Half of all HTTP DDoS attacks during this period were attributed to known DDoS botnets, with other attack vectors including fake user agents, headless browsers, suspicious HTTP attributes, and generic floods. The most targeted countries were China, Turkey, and Singapore, while the IT and services, telecom, and consumer goods sectors were the primary victims.

Argentina emerged as the largest source of DDoS attacks in Q2 2024, followed by Indonesia and the Netherlands. This evolving threat landscape underscores the need for robust and up-to-date security measures to safeguard against the ever-growing sophistication and frequency of cyberattacks.