Threat actors are taking advantage of the serious security flaws of PHP to provide remote access trojans (rats) like Cryptocurrency Miner and Quasar Rat.
The vulnerability assigned the CVE Identifier CVE-2024-4577 refers to a PHP argument injection vulnerability affecting Windows-based systems running in CGI mode that allows remote attackers to execute arbitrary code.
Cybersecurity firm Bitdefender said a surge in exploitation attempts against CVE-2024-4577 has been observed since the latter half of last year, with significant concentrations reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%) and India (0.33%).
Approximately 15% of detected exploitation attempts include basic vulnerability checks using commands such as “fuami” and “echo”. Another 15% revolves around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata collection.
Martin Zugec, director of technical solutions at BitDefender, noted that at least about 5% of detected attacks reached a peak in the Xmrig Cryptocurrency Miner deployment.
“Another small campaign included the deployment of NiceHash Miners, a platform that allows users to sell the computing power of cryptocurrency,” Zugec added. “The minor process was disguised as a legitimate application, such as Javawindows.exe, to avoid detection.”
Other attacks have been found to weaponize the drawback of not only using CMD.exe to run malicious Windows Installer (MSI) files hosted on remote servers, but also delivering remote access tools such as open source Quasar Rats.
Perhaps amid a strong twist of curiosity, the Romanian company also said it had observed attempts to change the firewall configuration of vulnerable servers with the aim of blocking access to known malicious IPS related to exploits.
This extraordinary behavior has increased the chance that rival cryptojacking groups will compete for control of susceptible resources and prevent them from targeting people under their second management. Also, terminating the rival miner process before deploying its own payload is consistent with historical observations of how crypto attacks are known.
The development comes shortly after Cisco Talos revealed details of a campaign from the start of the year to weaponize PHP flaws in attacks targeting Japanese organizations.
Users are advised to update their PHP installation to the latest version to protect them from potential threats.
“Because most campaigns use LOTL tools, organizations should consider limiting the use of tools such as PowerShell in their environment to privileged users, such as administrators,” Zugec said.
Source link
