PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets.

The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024.

“CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP,” Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. “The vulnerability itself lies in how Unicode characters are converted into ASCII.”

The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge.

This included exploits designed to deliver a remote access trojan called Gh0st RAT, cryptocurrency miners like RedTail and XMRig, and a DDoS botnet named Muhstik.

“The attacker sent a request similar to the others seen previous RedTail operations, abusing the soft hyphen flaw with ‘%ADd,’ to execute a wget request for a shell script,” the researchers explained. “This script makes an additional network request to the same Russia-based IP address to retrieve an x86 version of the RedTail crypto-mining malware.”

Last month, Imperva also revealed that CVE-2024-4577 is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of the file-encrypting malware.

Users and organizations relying on PHP are recommended to update their installations to the latest version to safeguard against active threats.

“The continuously shrinking time that defenders have to protect themselves after a new vulnerability disclosure is yet another critical security risk,” the researchers said. “This is especially true for this PHP vulnerability because of its high exploitability and quick adoption by threat actors.”

The disclosure comes as Cloudflare said it recorded a 20% year-over-year increase in DDoS attacks in the second quarter of 2024, and that it mitigated 8.5 million DDoS attacks during the first six months. In comparison, the company blocked 14 million DDoS attacks for the entirety of 2023.

“Overall, the number of DDoS attacks in Q2 decreased by 11% quarter-over-quarter, but increased 20% year-over-year,” researchers Omer Yoachimik and Jorge Pacheco said in the DDoS threat report for Q2 2024.

What’s more, known DDoS botnets accounted for half of all HTTP DDoS attacks. Fake user agents and headless browsers (29%), suspicious HTTP attributes (13%), and generic floods (7%) were the other prominent HTTP DDoS attack vectors.

The most attacked country during the time period was China, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan. Information technology and services, telecom, consumer goods, education, construction, and food and beverage emerged as the top sectors targeted by DDoS attacks.

“Argentina was ranked as the largest source of DDoS attacks in the second quarter of 2024,” the researchers said. “Indonesia followed closely in second place, followed by the Netherlands in third.”

Cloudflare told The Hacker News that Ukraine was placed as the 103rd most attacked country in Q2 2024 after taking into account various parameters such as overall attack volume and their percentages out of total traffic, for HTTP DDoS attacks and network-layer DDoS attacks.

“However, when focusing on Ukraine alone, we can see that HTTP DDoS attacks have actually been gradually increasing against Ukraine over the past 4 quarters; reaching similar rates that were observed as the full scale Russian invasion of Ukraine began back in 2022,” Yoachimik, senior product manager at Cloudflare, said.

“In terms of numbers, in Q2 2024, Cloudflare mitigated 143 billion DDoS requests against Ukraine which was approximately 5.8% of all Ukraine-bound web traffic. This represents a 75% increase quarter-over-quarter and a 625% increase year-over-year.”

(The story was updated after publication to include additional insights shared by Cloudflare.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.