Security researchers revealed that ransomware attackers have swiftly turned a simple-to-exploit PHP programming language vulnerability—which allows malicious code to be executed on web servers—into a weapon.
As of Thursday last week, Censys' Internet scans had found 1,000 servers infected with the TellYouThePass ransomware strain, down from 1,800 on Monday. The servers, which are largely based in China, no longer display their typical content; instead, many list the site's file directory, which shows that all files have a.locked extension, indicating that they have been encrypted. The accompanying ransom note demands around $6,500 in exchange for the decryption key.
The vulnerability, identified as CVE-2024-4577 and assigned a severity rating of 9.8 out of 10, results from flaws in PHP's conversion of Unicode characters to ASCII. Best Fit, a feature integrated into Windows, enables attackers to utilise argument injection to turn user-supplied data into characters that send malicious commands to the main PHP application. Exploits enable attackers to circumvent CVE-2012-1823, a significant code execution vulnerability addressed in PHP in 2012.
CVE-2024-4577 only affects PHP when it is run in CGI mode, which involves a web server parsing HTTP requests and passing them to a PHP script for processing. Even if PHP is not configured to use CGI mode, the vulnerability may still be exploitable if PHP executables such as php.exe and php-cgi.exe are located in directories accessible to the web server. This setup is fairly uncommon, with the exception of the XAMPP platform, which includes it by default. An extra requirement appears to be that the Windows locale, which is used to personalise the OS to the user's local language, be set to Chinese or Japanese.
The critical vulnerability was made public on June 6, along with a security fix. The attackers were exploiting it within 24 hours to install TellYouThePass, Imperva researchers disclosed last week. The exploits ran malware that exploited the Windows binary mshta.exe to launch an HTML application hosted on an attacker-controlled server. The use of the programme revealed a strategy known as living off the land, in which attackers employ native OS features and tools to blend in with routine, non-malicious behaviour.
In a post published Friday, Censys researchers stated that the TellYouThePass gang's exploitation began on June 7 and mirrored previous incidents in which opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of affected servers have IP addresses in China, Taiwan, Hong Kong, or Japan, most likely because Chinese and Japanese localities are the only ones verified to be vulnerable, Censys researchers noted in an email.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI or XAMPP service stops responding—hence the drop in detected infections,” researchers added. “Another point to consider is that there are currently no observed ransom payments to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or going offline in some other manner.”
