A long-running ransomware campaign that has been targeting Windows and Linux systems since 2019 is the latest example of how closely threat groups track public disclosures of vulnerabilities and proofs-of-concept (PoCs) and how quickly they move in to exploit them.

The PHP Group last week disclosed a high-severity flaw – tracked as CVE-2024-4577 and with an initial CVSS severity score of 9.8 out of 10 – that when exploited allows bad actors to execute arbitrary code on Windows servers that are running Apache and PHP-CGI, which is used to transfer information between a web server and a CGI program. It enables users to run a server-side prompt like PHP, Perl, or Python in response to a HTTP request.

PHP is a an open-source general-purpose scripting language used to develop web pages that is still leveraged by more than 76% of all websites more than 30 years after it was first introduced, according to W3Techs. Such widespread use makes it an attractive target for cybercriminals. The PHP Group issued a patch for the vulnerability.

“This vulnerability, which allows for remote code execution due to improper input validation, poses significant risks to web applications built with PHP,” Imperva threat researcher Jack Pincombe wrote in a blog post late last week. “Attackers can exploit this flaw to execute arbitrary code on affected servers, potentially compromising entire systems.”

No Time to Breathe

Within two days of the flaw being disclosed and a fix being issued, Imperva analysts said they detected attacks exploiting the PHP vulnerability June 8 and warned that more campaigns were likely on the way given the number of PoCs that had been published.

In another blog post this week, Imperva threat researcher Daniel Johnston wrote that the company linked the attacks to an ongoing ransomware campaign called TellYouThePass, which has been ongoing in one form or another since 2019.

The bad actors behind TellYouThePass have attacked businesses and individuals and targeted Windows and Linux systems. In the past, it’s exploited the widespread Apache Log4j vulnerability (CVE-2021-44228) and another flaw (CVE-2023-46604) discovered last year in the Java OpenWire protocol.

In the campaigns targeting the PHP flaw, bad actors in some instances were trying to upload WebShell onto targeted systems and ransomware in other attacks, Johnston wrote. They used an exploit for the vulnerability “to execute arbitrary PHP code on the target system, leveraging the code to use the ‘system’ function to run an HTML application file hosted on an attacker-controlled web server.”

It uses the mshta[.]exe binary, a native Windows binary that can execute remote payloads, indicating that the attackers behind the TellYouThePass campaign are running a living-off-the-land operation.

Code Conversion Issues

The vulnerability is the result of issues around the conversion of Unicode characters in Windows when using the CGI mode. Windows may use “Bet Fit” behavior to replace characters, which the PHP implementation didn’t account for. The PHP CGI module could misinterpret such characters as PHP options, which could allow hackers to eventually see the source code of scripts and run arbitrary PHP code on the server.

It affects most versions of PHP after 5.0 and was fixed last week with the release of versions 8.3.8, 8.2.20, and 8.1.29.

Applying Fixes is Important but Not Easy

The advice from cybersecurity vendors is for organizations to apply the fixes as quickly as possible, but it’s not such as a simple task, according to security pros. Agnidipta Sarkar, vice president of CISO advisory at cybersecurity company ColorTokens, said that while many companies will do just that, PHP is among the most popular server-side scripting languages for creating dynamic web pages to complex applications.

“Enterprises that have deployed PHP based applications in real-time, especially those with lesser security focus, will be vulnerable,” Sarkar said, adding that includes companies that “may not have planned for staging environments to patch PHP vulnerabilities quickly.”

Sarkar and Darren Guccione, co-founder and CEO of KeeperSecurity, both said a key tool for mitigating such instances is network microsegmentation, which can prevent threat actors from moving laterally in a system during a breach and give security teams the tine to patch vulnerabilities on time.

“Network segmentation is a best practice of identity and privileged access management, and is part of the solution that makes it harder for external threat actors to compromise privileged credentials or internal threat actors to misuse them,” Guccione said.

He also stressed the need for a zero-trust security model that is used with least-privilege access, role-based access controls, a single sign-on solution, and strong password security. Security event monitoring is also key, Guccione added.

“Cybercriminals closely monitor public disclosures and proof-of-concept releases to act swiftly on any vulnerability they can easily exploit,” he said. “With vulnerabilities like CVE-2024-4577, cybercriminals are aiming to gain unauthorized access to systems through unpatched PHP installations. Once inside, they move laterally across the network to compromise additional systems and locate valuable data.”