Critical 9.8 PHP flaw exploited in US, Japan and Singapore

A critical 9.8 PHP flaw that was originally found exploiting Japanese organizations was observed expanding its malicious activities to multiple regions, including the United States and Singapore.

Cisco Talos reported last week that attackers were exploiting CVE-2024-4577 since January, and on March 7, Grey Noise posted in a blog that the attacks had expanded beyond Japan.

The researchers said the attackers exploited the PHP-CGI installation on Windows systems to deploy Cobalt Strike beacons and run post-exploitation activities. In doing so, the attackers established persistence, elevating to System level privileges, and gained potential access to frameworks, indicating the likelihood of future attacks.

“Because exploitation of this vulnerability could lead to unauthorized command execution on the server, the possible impacts could include a full system compromise, even leading to the deployment of ransomware,” said Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens.

CISA recommended in June 2024 that organizations apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. And, the National Vulnerability Database (NVD) has a huge list of advisories, solutions, and tools that contain a list of patches.

 “Security leaders should immediately put the system in containment and apply the patches,” said Sarkar. “If they do not have microsegmentation in place, they should restrict access using firewalls and VPNs until the vulnerability is addressed or the server gets replaced with another that’s not vulnerable.”

Jason Soroko, senior fellow at Sectigo, said PHP suffers from a critical vulnerability in its CGI module on Windows servers running Apache. He said the flaw occurs because PHP’s Windows implementation fails to properly account for Best-Fit conversion when processing Unicode characters.

“Attackers can supply crafted Unicode sequences that the system converts into misinterpreted PHP options,” said Soroko. “This enables remote code execution with a CVSS score of 9.8 and allows threat actors to inject arbitrary arguments, ultimately executing malicious code on vulnerable systems.”

Soroko added that the flaw poses severe risks as it permits attackers to gain full system control, modify registry keys, schedule tasks, and establish persistent backdoors.

“Exploitation has already been observed in campaigns targeting multiple sectors and countries, with ransomware gangs using the vulnerability to escalate privileges,” said Soroko. “Security teams should immediately deploy the official patch released by PHP maintainers or upgrade to a patched version.”