Cybersecurity experts have identified a critical security flaw in PHP that threat actors are exploiting to distribute cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, known as CVE-2024-4577, allows remote attackers to run arbitrary code on Windows-based systems running in CGI mode. Bitdefender has reported a surge in exploitation attempts targeting this flaw, with a high concentration in countries like Taiwan, Hong Kong, Brazil, Japan, and India.
A significant portion of the exploitation attempts involve basic vulnerability checks and system reconnaissance commands. Some attacks have led to the deployment of cryptocurrency miners like XMRig and Nicehash, disguised as legitimate applications to evade detection. Other attacks have leveraged the PHP flaw to deliver tools like the Quasar RAT and execute malicious Windows installer files using cmd.exe.
In a peculiar turn of events, there have been instances where attackers have tried to modify firewall configurations on vulnerable servers to block access to known malicious IPs associated with the exploit. This behavior suggests a competition among cryptojacking groups to control susceptible resources and prevent rivals from targeting the same servers. This tactic aligns with historical observations of cryptojacking attacks terminating rival miner processes before deploying their own payloads.
Recent reports from Cisco Talos have highlighted a campaign targeting Japanese organizations by exploiting the PHP flaw. To mitigate these threats, users are urged to update their PHP installations to the latest version. Additionally, organizations should consider restricting the use of tools like PowerShell to privileged users, such as administrators, to minimize the risk of exploitation. Stay informed about the latest cybersecurity threats by following reputable sources like The Hacker News on Twitter and LinkedIn.
Source link