PHP Vulnerability Exploited for RCEs, Cryptominers, and DDoS
Shortly after a new PHP bug was disclosed in late spring, Akamai researchers detected numerous attempts to exploit the vulnerability, highlighting its high exploitability and rapid adoption by threat actors.
Given that PHP is one of the most popular server-side scripting languages, used to create dynamic web pages on more than 75% of websites, many enterprises with PHP-based applications are at risk, according to security researchers.
The vulnerability, identified as CVE-2024-4577, has been exploited to deploy remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) attacks.
In a July 10 blog post, Akamai researchers described an attack involving Gh0st RAT malware, an open-source remote access trojan that has been around for over 15 years.
Akamai honeypots also observed a RedTail cryptomining operation exploiting CVE-2024-4577 shortly after the vulnerability was disclosed. Additionally, researchers found a sample of Muhstik malware, previously documented targeting Internet-of-Things and Linux servers for cryptomining and DDoS attacks.
Michael Skelton, vice president of operations and hacker success at Bugcrowd, emphasized that PHP flaws like CVE-2024-4577 are particularly dangerous due to PHP’s widespread use. These vulnerabilities can lead to server-side command execution, compromising entire web servers and potentially exploiting adjacent systems and services.
“The level of access these vulnerabilities provide can enable persistent access, allowing future compromises even after the initial flaw has been addressed,” said Skelton. “While Akamai and other providers offer temporary mitigations, these solutions can often be bypassed. The best response to such vulnerabilities is to apply patches as soon as they are released and conduct thorough incident response efforts to ensure no attacker persistence remains.”
CVE-2024-4577: PHP 8.1.* before 8.1.29, 8.2.* 8.2.20, 8.3.* 8.3.8, when using Apache and PHP-CGI on Windows. allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP on server.
PoChttps://t.co/xKYp4HO6Tg pic.twitter.com/igClTRitEK
— Cyber Advising (@cyber_advising) June 10, 2024
Lionel Litty, chief security architect at Menlo Security, added that command injection flaws like this one offer an easy path for attackers to achieve remote code execution on the server-side. The rapid wave of exploits demonstrates how attackers can invoke shell commands with minimal string encoding.
“With RCE on the server, attackers can target any content accessible to the web server user, which may include sensitive PIIs, credentials, and further access to the server-side infrastructure of the application provider,” said Litty. “They can also leverage this to serve malicious content to users of the web application, potentially tricking them into executing ransomware from a seemingly benign source.”
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
Thankyou for Subscribing Us!
Do you like what you read?
Thank you for your feedback!
No Comments