Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Cisco Talos recently uncovered a series of sophisticated cyberattacks exploiting a critical PHP vulnerability to compromise Windows machines.
The malicious activities conducted by unknown attackers have been ongoing since January 2025, predominantly targeting organizations in Japan across various business sectors including technology, telecommunications, entertainment, education, and e-commerce.
The attackers are exploiting CVE-2024-4577, a remote code execution vulnerability in the PHP-CGI implementation of PHP on Windows systems.
This critical flaw stems from the “Best-Fit” behavior in Windows code pages, where certain characters in command-line inputs are replaced. The PHP-CGI module misinterprets these characters as PHP options, enabling attackers to execute arbitrary PHP code on vulnerable servers running Apache with a vulnerable PHP-CGI setup.
To exploit this vulnerability, the attackers utilize a publicly available Python script called “PHP-CGI_CVE-2024-4577_RCE.py” that sends specifically crafted POST requests to target URLs.
The script checks if a URL is vulnerable by looking for the MD5 hash “e10adc3949ba59abbe56e057f20f883e” in the response, indicating successful exploitation.
Upon confirmation, the attackers execute PowerShell commands through PHP code to download and run a PowerShell injector script from their command and control (C2) server.
Cisco Talos analysts identified that the attack chain begins with this initial exploitation, followed by privilege escalation, persistence establishment, detection evasion, lateral movement, and credential theft.
.webp)
Intrusion attack chain (Source – Cisco Talos)
The C2 servers identified in the attack are hosted on Alibaba cloud with IP addresses 38.14.255.23 and 118.31.18.77.
Post-Exploitation Activities
After gaining initial access, the attackers deploy a PowerShell injector script containing either base64-encoded or hexadecimal data blob of Cobalt Strike reverse HTTP shellcode.
When executed, this script injects the shellcode into the victim machine’s memory and establishes a connection to the C2 server over HTTP.
A portion of the obfuscated PowerShell code looks like this:-
Set-StrictMode -Version 2
function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') }
For post-exploitation activities, the attackers utilize plugins from the “TaoWu” Cobalt Strike kit. They establish persistence by modifying registry keys and creating scheduled tasks using commands such as:-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Svchost /t REG sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30 \ some Servi
To evade detection and remove traces of their activities, the attackers clear Windows event logs using the following commands:-
wevtutil cl security wevtutil cl system wevtutil cl application wevtutil cl windows powershell
For lateral movement, the attackers perform network reconnaissance using tools like “fscan.exe” and “Seatbelt.exe” to map potential targets within the victim’s network:-
fscan.exe -h 192[.]168[.]1[.]1/24 Seatbelt.exe -group=Remote -full
They also abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network and ultimately execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from the victim’s machine memory.
The attacker’s tradecraft has similarities with techniques used by a hacker group called “Dark Cloud Shield” or “You Dun” in their 2024 attacks, although they are not attributing the current campaign to this group based on current evidence.
The researchers also discovered that the attackers had access to a pre-configured installer script on their C2 server that could deploy a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, indicating potential future attack capabilities beyond credential harvesting.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines
Author: Tushar Subhra DuttaCisco Talos recently uncovered a series of sophisticated cyberattacks exploiting a critical PHP vulnerability to compromise Windows machines.
The malicious activities conducted by unknown attackers have been ongoing since January 2025, predominantly targeting organizations in Japan across various business sectors including technology, telecommunications, entertainment, education, and e-commerce.
The attackers are exploiting CVE-2024-4577, a remote code execution vulnerability in the PHP-CGI implementation of PHP on Windows systems.
This critical flaw stems from the “Best-Fit” behavior in Windows code pages, where certain characters in command-line inputs are replaced. The PHP-CGI module misinterprets these characters as PHP options, enabling attackers to execute arbitrary PHP code on vulnerable servers running Apache with a vulnerable PHP-CGI setup.
To exploit this vulnerability, the attackers utilize a publicly available Python script called “PHP-CGI_CVE-2024-4577_RCE.py” that sends specifically crafted POST requests to target URLs.
The script checks if a URL is vulnerable by looking for the MD5 hash “e10adc3949ba59abbe56e057f20f883e” in the response, indicating successful exploitation.
Upon confirmation, the attackers execute PowerShell commands through PHP code to download and run a PowerShell injector script from their command and control (C2) server.
Cisco Talos analysts identified that the attack chain begins with this initial exploitation, followed by privilege escalation, persistence establishment, detection evasion, lateral movement, and credential theft.
Intrusion attack chain (Source – Cisco Talos)The C2 servers identified in the attack are hosted on Alibaba cloud with IP addresses 38.14.255.23 and 118.31.18.77.
Post-Exploitation Activities
After gaining initial access, the attackers deploy a PowerShell injector script containing either base64-encoded or hexadecimal data blob of Cobalt Strike reverse HTTP shellcode.
When executed, this script injects the shellcode into the victim machine’s memory and establishes a connection to the C2 server over HTTP.
A portion of the obfuscated PowerShell code looks like this:-
Set-StrictMode -Version 2
function func_get_proc_address { Param ($var_module, $var_procedure) $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') }
For post-exploitation activities, the attackers utilize plugins from the “TaoWu” Cobalt Strike kit. They establish persistence by modifying registry keys and creating scheduled tasks using commands such as:-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Svchost /t REG sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30 \ some Servi
To evade detection and remove traces of their activities, the attackers clear Windows event logs using the following commands:-
wevtutil cl security wevtutil cl system wevtutil cl application wevtutil cl windows powershell
For lateral movement, the attackers perform network reconnaissance using tools like “fscan.exe” and “Seatbelt.exe” to map potential targets within the victim’s network:-
fscan.exe -h 192[.]168[.]1[.]1/24 Seatbelt.exe -group=Remote -full
They also abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network and ultimately execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from the victim’s machine memory.
The attacker’s tradecraft has similarities with techniques used by a hacker group called “Dark Cloud Shield” or “You Dun” in their 2024 attacks, although they are not attributing the current campaign to this group based on current evidence.
The researchers also discovered that the attackers had access to a pre-configured installer script on their C2 server that could deploy a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, indicating potential future attack capabilities beyond credential harvesting.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
