Targeting of PHP vulnerability expands globally

Attempted exploitation of the already patched critical PHP-CGI remote code execution vulnerability, tracked as CVE-2024-4577, was discovered by GreyNoise researchers to have escalated across the U.S., Japan, Singapore, and other parts of the world in January, according to The Record, a news site by cybersecurity firm Recorded Future..

Such findings, which indicated more widespread exploitation than previously thought, came a day after Cisco Talos disclosed that intrusions leveraging the flaw were primarily targeted at Japanese organizations.

The threat actors behind the predominantly Japan-targeted attack campaign utilized a command-and-control server to launch a slew of malicious tools and frameworks aimed at compromising credentials and ensuring persistence in targeted systems that could portend more significant attacks in the future, said Cisco Talos researchers.

Both reports from GreyNoise and Cisco Talos follow months after the PHP-CGI vulnerability was initially reported by Symantec researchers to have been exploited in an attack against a Taiwanese university just weeks after it was patched.