The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute their ransomware payload on target systems.
The attacks began on June 8, less than 48 hours after PHP maintainers released security updates, utilizing publicly available exploit code. TellYouThePass is notorious for quickly adopting public exploits for widespread vulnerabilities. In November, they exploited an Apache ActiveMQ RCE, and in December 2021, they used the Log4j exploit to breach companies.
In the latest attacks observed by researchers at cybersecurity company Imperva, TellYouThePass leveraged the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code. They used the Windows mshta.exe binary to run a malicious HTML application (HTA) file. This file contained VBScript with a base64-encoded string that decoded into a binary, loading a .NET variant of the ransomware into the host's memory.
Ransomware Impact and Tactics
Upon execution, the malware sends an HTTP request to a command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine. It then leaves a ransom note, "READ_ME10.html," with instructions for the victim on how to restore their files. User posts on the BleepingComputer forum indicate that TellYouThePass attacks have claimed victims since June 8, demanding 0.1 BTC (around $6,700) for the decryption key. One user reported that the ransomware campaign affected multiple websites hosted on their server.
Vulnerability Details and Response
CVE-2024-4577 is a critical RCE vulnerability that affects all PHP versions since 5.x. It originates from unsafe character encoding conversions on Windows when used in CGI mode. The vulnerability was discovered on May 7 by Devcore's Orange Tsai, who reported it to the PHP team. A fix was released on June 6 with PHP versions 8.3.8, 8.2.20, and 8.1.29.
The following day, WatchTowr Labs released a proof-of-concept (PoC) exploit code for CVE-2024-4577. The Shadowserver Foundation observed exploitation attempts on their honeypots the same day. According to a report from Censys, over 450,000 exposed PHP servers could be vulnerable to the CVE-2024-4577 RCE vulnerability, with most located in the United States and Germany. Wiz, a cloud security startup, estimated that around 34% of these instances might be vulnerable.
