Ransomware known as TellYouThePass extensively attacks susceptible PHP servers
Critical PHP Vulnerability Under Active Exploitation: TellYouThePass Ransomware Targeting Affected Servers
A critical remote code execution vulnerability in the PHP programming language, known as CVE-2024-4577, has been actively exploited since at least June 7. This vulnerability, which has a CVSS score of 9.8, affects Windows PHP-CGI installations, particularly those with default XAMPP setups and certain locale configurations.
Researchers from Palo Alto Networks have confirmed active exploitation activity as of June 11, with approximately 1,000 infected hosts observed as of Thursday. The number of observed infections has since decreased to around 800. The majority of the infected hosts are located in China, with the direct impact on the U.S. being limited, as the number of compromised hosts in the U.S. peaked at 39 on Tuesday, compared with a high of 962 compromised hosts in China as of Monday.
The TellYouThePass ransomware group is reportedly exploiting this vulnerability to deploy webshells and compromise systems. This ransomware has been in existence since at least 2019 and has previously leveraged vulnerabilities in Apache Log4j and Apache ActiveMQ. The group targets vulnerable PHP servers and demands ransoms (reported as 0.1 BTC per attack) from victims after infection.
The vulnerability enables an unauthenticated attacker to bypass the previous protection for CVE-2012-1823, allowing them to execute arbitrary code remotely. This can lead to full server compromise and data theft. AI-related PHP applications are especially at risk due to sensitive data processed and the critical impact of pipeline compromise.
To mitigate this threat, it is recommended to urgently upgrade to patched PHP versions (8.3.8+, 8.2.20+, or 8.1.29+) and switch from CGI to safer alternatives such as PHP-FPM. Application-level security measures like input validation to block malicious commands should also be implemented to reduce the attack surface.
Despite patches being available since early 2024, many systems remain vulnerable due to slow update adoption, enabling ongoing exploitation by attackers like TellYouThePass.
In summary, CVE-2024-4577 remains a critical and actively exploited vulnerability in Windows PHP-CGI environments. Immediate patching and configuration changes are essential to prevent compromise from the TellYouThePass ransomware group and other threat actors.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4]
- The critical PHP vulnerability (CVE-2024-4577) being exploited by the TellYouThePass ransomware group is a significant concern in the realm of cybersecurity, as it poses a threat to the security of general-news and crime-and-justice media outlets that may use PHP technology.
- The exploitation of CVE-2024-4577 not only highlights the vulnerability of certain PHP configurations, but also the continued risks associated with ransomware attacks, emphasizing the importance of robust cybersecurity measures.
- The recent wave of ransomware attacks, such as the one using CVE-2024-4577, underscores the need for technology developers and users alike to prioritize timely updates and security enhancements to mitigate ongoing cyber threats.
