AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Critical vulnerability discovered in PHP CGI: how to protect your systems from CVE-2024-4577

Find out how a security flaw in PHP CGI threatens your Windows servers and what immediate steps to take to protect yourself

Akamai has discovered a serious vulnerability in PHP (CVE-2024-4577) that allows remote code execution on Windows systems with CGI configurations. Bad actors can exploit it to spread malware and crypto mining attacks. Installing patches and using WAF is critical for protection.

This pill is also available in Italian language

Akamai Technologies' Security Intelligence Response Team (SIRT) has identified a dangerous vulnerability in PHP, known as CVE-2024-4577. This flaw affects PHP installations running in CGI mode, a protocol for interaction between web servers and external programs. The vulnerability primarily impacts Windows operating systems localized in Chinese and Japanese, but the full extent of vulnerable installations is still under investigation. Just 24 hours after the vulnerability was published, the SIRT team detected numerous exploit attempts, highlighting the severity and speed with which cyber threat actors adopted it. Attackers exploit this flaw to perform remote code execution (RCE) via command injection, including malware campaigns such as Gh0stRAT and crypto miners such as RedTail and XMRig.

Vulnerability mechanism and potential exploits

The vulnerability is caused by the way PHP and CGI handlers interpret some Unicode characters. Attackers can send malicious PHP code that is misinterpreted due to the flaw. The exploit uses the php://input method to embed code in the body of the HTTP request, manipulating options such as auto_prepend_file and allow_url_include. Even though the input strings appear identical, they differ in their use of Unicode characters: a standard hyphen (0x2D) vs a "soft hyphen" (0xAD). This differentiation allows the attack to bypass checks and add extra arguments to the command line, increasing the versatility of the exploit.

Detailed analysis of the malware involved

Among the exploits identified, Gh0stRAT was detected in Akamai honeypots, used to attract and analyze cyber attacks. This malware uses UPX packing to manipulate HTTP installations and spread malicious payloads, including additional malware from remote servers. The RedTail Crypto Miner deploys a shell script to download and execute crypto mining malware, targeting directories with specific permissions. The Muhstik campaign uses a shell script to download an ELF file, intended for crypto mining and DDoS attacks, while XMRig uses PowerShell to download and execute scripts from a remote mining pool, then completing cleanup operations to hide the 'attack.

Recommendations and safety measures

Akamai strongly recommends immediately applying necessary patches and monitoring systems for indicators of compromise (IoC). Customers using Akamai's Web Application Firewall (WAF) and Adaptive Security Engine are already protected from these threats, thanks to the specific rules and configurations provided. Implementing these solutions is critical to ensuring a robust defense against the multiple forms of attacks that exploit the CVE-2024-4577 vulnerability. These preventative measures help maintain the integrity of your systems and prevent future compromises.

Follow us on Facebook for more pills like this

07/12/2024 08:01

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon