Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.
As of Thursday, internet scans by security firm Censys found that 1,000 of the 1,800 servers discovered on Monday were infected with a strain of ransomware known as TellYouThePass. The servers, located mainly in China, no longer display their usual content; instead, many list the site’s file directory, indicating that all files are given the .locked extension, indicating that they are encrypted. The accompanying ransom note demands approximately $6,500 for decryption.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and ranked 9.8 out of 10, is caused by errors in PHP’s conversion of Unicode characters to ASCII. A feature known as Best Fit built into Windows allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the underlying PHP application. The exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.
CVE-2024-4577 affects PHP only when running in a mode known as CGI, in which the web server parses HTTP requests and passes them to a PHP script for processing. Even if PHP is not set to CGI mode, the vulnerability can still be exploited when PHP executables such as php.exe and php-cgi.exe are in directories accessible by the web server. Except for this configuration, it is quite rare XAMPP platforms, uses it by default. An additional requirement is that the Windows language used to adapt the OS to the user’s locale must be set to either Chinese or Japanese.
Critical vulnerability on June 6 a security patch. Within 24 hours, researchers at security firm Imperva used it to install TellYouThePass, a threat actor. reported on Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML program file hosted on a server controlled by the attacker. The use of the binary indicated an approach known as off-landing, where attackers use native OS functions and tools to attempt to interfere with normal, non-malicious activity.
One post Published on Friday, Censys researchers said the exploit by the TellYouThePass gang began on June 7 and echoes past incidents of opportunistically mass scanning the Internet for vulnerable systems and targeting any accessible server after a high-profile vulnerability. Censys researchers said in an email that the IP addresses of the vast majority of infected servers were located in China, Taiwan, Hong Kong or Japan, possibly the only locations where Chinese and Japanese locales were confirmed to be vulnerable.
Since then, the number of infected sites — detected by observing a public-facing HTTP response serving a list of open directories showing the server’s file system and the ransom note’s different file naming convention — has fluctuated from a low of 670 in June. It reaches 8 to 1,800 on Monday.
Censys
Censys researchers said in an email that they weren’t entirely sure what caused the numbers to change.
“In our view, most compromised hosts remain online, but the port running the PHP-CGI or XAMPP service stops responding, thus reducing the number of detected infections,” they wrote. “Another point to note is that currently no ransom payments have been observed to the only Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of those services being decommissioned or otherwise offline.”
XAMPP is used in production, right?
The researchers went on to note that about half of the observed compromises showed clear signs of running XAMPP, but this estimate is likely to be low because not all services publicly disclose what software they use.
“Given that XAMPP is vulnerable by default, it is reasonable to guess that the majority of infected systems are running XAMPP,” the researchers said. This Censys query lists infections that clearly affect the platform. The researchers are not aware of any specific platforms other than XAMPP being compromised.
The discovery of insecure XAMPP servers surprised Will Dormann, senior vulnerability analyst at security firm Analygence, because XAMPP servers they say openly their software is not suitable for production systems.
“People who choose to run non-production software will have to deal with the consequences of that decision,” he said in an online interview.
Although XAMPP is the only platform confirmed to be vulnerable, people working with PHP on any Windows system should install the update as soon as possible. The Imperva script linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted in attacks.