Not long after a new PHP bug was disclosed in the late spring, Akamai researchers observed numerous attempts to exploit the vulnerability, which they said indicates high exploitability and quick adoption by threat actors.
Because PHP is one of the most popular server-side scripting languages used to create dynamic web pages on more than 75% of websites, security researchers said many enterprises that have deployed PHP-based applications are vulnerable.
The vulnerability — CVE-2024-4577 — was exploited to execute remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) attacks.
In a July 10 blog post, Akamai researchers said one such attempt involved Gh0st RAT malware, an open-source remote access trojan that has been around for more than 15 years.
Akamai honeypots also observed a RedTail cryptomining operation using CVE-2024-4577 within days of the vulnerability’s disclosure. And the researchers also found a Muhstik malware sample, which has been previously documented targeting Internet-of-Things and Linux servers for cryptomining and DDoS attacks.
PHP flaws, such as CVE-2024-4577, are exceptionally dangerous because of PHP's widespread adoption, said Michael Skelton, vice president of operations and hacker success at Bugcrowd. Skelton said these vulnerabilities can lead to server-side command execution that compromises entire web servers and can result in further exploitation of adjacent systems and services.
“The level of access they allow can also enable the deployment of persistent access, allowing future compromises even after the initial flaw has been addressed,” said Skelton. “While Akamai and other provider mitigations are available for temporary protection, these solutions can often be bypassed. The best response to such vulnerabilities is to apply patches as soon as they are released and conduct thorough incident response efforts on potentially compromised systems to ensure no attacker persistence remains.”
Lionel Litty, chief security architect at Menlo Security, added that command injection flaws such as this one offer a very easy path for attackers to get remote code execution on the server-side. As we have seen with the rapid flurry of exploits, Litty said this gives exploit writers a mechanism to essentially invoke shell commands with just a little bit of string encoding.
“With RCE on the server, an attacker can now target any content accessible to the web server user on the server, which — depending on the web application — may include sensitive PIIs, credentials, as well as credentials to further pivot into the server-side infrastructure of the application provider,” said Litty. “In addition, they can also leverage this to further serve malicious contents to users of this web application, trying to trick them into executing ransomware from what they believe to be a benign source.”
