Tellyouthepass Ransomware and The Active Exploitation of CVE-2024-4577
PHP is mostly used as a programming language for creating dynamic websites and online applications. It operates on the server and enables seamless integration with MySQL and HTML databases. PHP is widely used by developers to efficiently create powerful websites and online apps because of its abundant documentation and ease of use.
Recently, a critical PHP vulnerability that might allow for remote command injection was made discovered. The vulnerability exists in all versions of PHP for Windows, with the exception of those installed by default using XAMPP and specifically in language configurations for Traditional Chinese, Simplified Chinese, and Japanese. The issue has been disclosed by several PoCs using publicly available exploits.
CVE-2024-4577
This vulnerability has a 9.8 (Critical) CVSS score and is identified as CVE-2024-4577. The CISA KEV (Known Exploited Vulnerabilities) collection contains known exploit code. Its EPSS Probability Score as of June 13th is 93.20%, meaning that wherever the vulnerability is present, it is very likely to be exploited in the near future.
The vulnerability results from a misconfiguration in the way PHP is implemented on Windows, particularly in relation to the encoding conversion capability known as Best-Fit. Due to this error, attackers without authentication can now circumvent previous security measures (such CVE-2012-1823) by using particular character sequences. This can lead to the execution of arbitrary code via an argument injection attack on remote PHP servers.
The vulnerability’s analysis shows that PHP’s CGI mode is impacted. PHP is vulnerable to this vulnerability even if it isn’t configured in this mode; it can be exploited by simply leaving the PHP executable binary (Default XAMPP configuration) in the CGI directory.
Typical Scenarios consist of, but are not restricted to:
- Copying php.exe or php-cgi.exe to the directory /cgi-bin/.
- Using the ScriptAlias directive, the PHP directory can be made visible. For example: ScriptAlias /php-cgi/ “C:/xampp/php/”
In this mode, a PHP script receives the parsed HTTP requests from the web server and handles them. For example, query strings on the command line are parsed and sent to the PHP interpreter; for example, a request with the format http://host/cgi.php?foo=bar may be processed as php.exe cgi.php foo=bar.
Because of the potential for command injection, input is usually processed and sanitized before invoking php.exe (as demonstrated by CVE-2012-1823). But, there is a potential vulnerability that developers failed to consider, which enables an attacker to bypass the command line and provide arguments that PHP will comprehend.
Affected Versions
XAMPP operating on Windows with traditional/simplified Chinese or Japanese settings is impacted by the known exploit code. Workloads utilizing languages other than English, however, must to be viewed as potentially exploitable.
In the same setups, PHP running on Windows outside of XAMPP may also be vulnerable.
- 8.3 < 8.3.8
- 8.2 < 8.2.20
- 8.1 < 8.1.29
- 8.0
- 7 and 5 (which are no longer supported)
Active Exploitation
The Imperva Threat Research team has alerted the international community of cyber defenders to ongoing attacks that use the major PHP vulnerability CVE-2024-4577 as a weapon to infect more target instances with ransomware. The study indicates that the adversary activity can be traced back to the TellYouThePass ransomware activities and has been ongoing since the first decade of June.
For five years, TellYouThePass has been a common ransomware strain in the cyber threat landscape. The return of the ransomware coincides with the exploitation of vulnerabilities in Log4j.
A series of persistent TellYouThePass attacks with the goal of uploading web shells and dispersing malware samples on compromised systems were discovered by the Imperva investigation. By using CVE-2024-3577, ransomware operators were able to execute arbitrary PHP code on the affected devices. Using the latter, they utilized the mshta.exe binary to launch an HTML application file hosted on the adversary’s web server. The use of Mshta.exe, a native Windows LOLBin with remote payload execution capabilities, implies that the attackers are employing a “living-off-the-land” strategy.
The ransomware TellYouThePass, which was used in the latest attack, manifests itself as.NET samples that are distributed through HTML applications. The distribution of an HTA file with malicious VBScript is the first step in the infection flow. When the ransomware is activated, it seems like a request for CSS resources, but instead of revealing device information, it sends an HTTP request to the C2 server. Moreover, a ransom note with the instructions “READ_ME10.html” is generated, providing file recovery guidance.
Recommendation
It is highly advised that all users update to PHP 8.3.8, 8.2.20, and 8.1.29, the most recent versions. The following procedures offer temporary vulnerability mitigation for systems that cannot be upgraded right away.
Mod-PHP, FastCGI, or PHP-FPM are more secure designs that are worth switching to, as PHP CGI is an antiquated and complex design.
You can use the Rewrite Rules listed below to prevent attacks. For Japanese, Simplified Chinese, and Traditional Chinese locales, these rules are merely a temporary mitigation. It is nevertheless advised to update to a patched version or switch to a more secure architecture.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
Update files for this vulnerability have not yet been made available by XAMPP. You may mitigate the vulnerability if you don’t use the PHP CGI capability by changing the Apache HTTP Server configuration:
- Edit the file: C:/xampp/apache/conf/extra/httpd-xampp.conf
- Locate the following lines:
ScriptAlias /php-cgi/ “C:/xampp/php/”
- Comment out the lines:
# ScriptAlias /php-cgi/ “C:/xampp/php/”
IOCs
hxxp:/88.218.76[.]13/dd3.hta
88.218.76[.]13
95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53