Dive Brief:
- Researchers on Friday warned a critical vulnerability in the PHP programming language is under increased exploitation activity, as the TellYouThePass ransomware group is targeting vulnerable sites, according to a blog post from Censys.
- The vulnerability, listed as CVE-2024-4577, has been under attack from the threat group since at least June 7, with about 1,000 infected hosts observed as of Thursday — they are mainly located in China. The number of observed infections is down from about 1,800 as of June 10.
- The Cybersecurity and Infrastructure Security Agency added CVE-2024-4577 to its known exploited vulnerabilities catalog on Wednesday.
Dive Insight:
Devcore originally discovered the argument-injection vulnerability, which has a CVSS score of 9.8 and could allow an attacker to achieve remote code execution. An unauthenticated attacker can bypass the previous protection for CVE-2012-1823.
Researchers at Imperva first detected TellYouThePass ransomware being deployed to exploit the vulnerability. This particular ransomware has been around since at least 2019 and previously leveraged vulnerabilities in Apache Log4j, CVE-2021-44228, and a vulnerability in Apache ActiveMQ, CVE-2023-46604.
The ransomware is currently targeting any vulnerable PHP servers it finds, according to Censys.
“This is likely affecting a broad range of users, from individual personal website maintainers to enterprise websites,” Himaja Motheram, security researcher at Censys. “The threat actors seem to be mass scanning the internet, rather than targeting any specific organizations.”
The direct impact on the U.S. is currently limited, as the number of compromised hosts in the U.S. peaked at 39 on Tuesday, compared with a high of 962 compromised hosts in China as of Monday.
Researchers from Palo Alto Networks confirm they have also seen active exploitation activity as of June 11.
PHP released patched versions, including 8.3.8, 8.2.20 and 8.1.29 on June 6.