![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
-Mouse-Work-Reveal-Trailer-00-00-51.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
OSAMU-NAKAMURA.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
_NicoElNino_Alamy.png?#)
.webp?#)
.webp?#)
![New iOS 19 Leak Allegedly Reveals Updated Icons, Floating Tab Bar, More [Video]](https://www.iclarified.com/images/news/96958/96958/96958-640.jpg)
![Apple to Source More iPhones From India to Offset China Tariff Costs [Report]](https://www.iclarified.com/images/news/96954/96954/96954-640.jpg)
![Blackmagic Design Unveils DaVinci Resolve 20 With Over 100 New Features and AI Tools [Video]](https://www.iclarified.com/images/news/96951/96951/96951-640.jpg)
PHP RCE Vulnerability Actively Exploited in Wild to Attack Windows-based Systems
Security researchers at Bitdefender Labs have detected a significant surge in exploitation attempts targeting a critical PHP vulnerability that allows attackers to execute malicious code on Windows-based systems. The vulnerability, tracked as CVE-2024-4577, has been actively exploited since June 2024, with attackers primarily deploying cryptocurrency miners and remote access tools on compromised servers. Vulnerability Details […] The post PHP RCE Vulnerability Actively Exploited in Wild to Attack Windows-based Systems appeared first on Cyber Security News.
Security researchers at Bitdefender Labs have detected a significant surge in exploitation attempts targeting a critical PHP vulnerability that allows attackers to execute malicious code on Windows-based systems.
The vulnerability, tracked as CVE-2024-4577, has been actively exploited since June 2024, with attackers primarily deploying cryptocurrency miners and remote access tools on compromised servers.
Vulnerability Details and Exploitation Trends
CVE-2024-4577 is a severe argument injection vulnerability affecting PHP installations running in CGI mode on Windows systems.
The flaw allows remote attackers to execute arbitrary code by manipulating character encoding conversions.
When Windows attempts to “translate” unrecognized characters into the closest match, carefully crafted inputs can transform into instructions that execute code on the targeted machine.
Bitdefender’s telemetry reveals a concerning geographic distribution of attacks, with Taiwan experiencing the highest concentration (54.65%), followed by Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).
While the vulnerability frequently leverages multi-byte character sets common in Asian languages, security experts emphasize that systems worldwide remain at risk.
Security researchers have identified several distinct attack patterns associated with this vulnerability. Approximately 15% of detected exploits involve basic vulnerability checks using simple commands like “whoami” to verify system exploitability.
Another 15% focus on system reconnaissance, where attackers employ “Living Off The Land” techniques using built-in Windows command-line tools to gather information about the compromised system.
“The most concerning pattern we’re seeing is the deployment of cryptocurrency miners, which accounts for about 5% of detected attacks,” noted Bitdefender researchers.
The popular XMRig software is being deployed to mine Monero cryptocurrency, leveraging server resources while remaining hidden from typical monitoring tools.
In a curious development, researchers have documented attempts to modify firewall configurations on vulnerable servers to block access to known malicious IPs associated with the exploit.
This unusual pattern suggests a possible “cryptojacking rivalry” where competing malicious actors are battling for control of compromised systems.
Commands discovered by Bitdefender show attackers creating firewall rules to block both inbound and outbound connections to specific IP addresses, including known Monero mining servers.
This behavior aligns with past observations of competition between cryptojacking operators. Beyond cryptocurrency mining, attackers are deploying remote access tools like Quasar RAT, giving them extensive control over compromised systems.
These tools enable keylogging, screen capture, file transfers, and remote command execution.
Researchers have also identified MSI installations and FTP downloads from malicious domains like oldschool[.]best, indicating possible botnet recruitment efforts.
Mitigations
The PHP development team has released patches addressing this vulnerability in versions 8.3.8, 8.2.20, and 8.1.29.
Organizations running older versions, especially unsupported branches like PHP 8.0, PHP 7, and PHP 5, should update immediately.
Security experts also recommend evaluating more secure architectures than CGI, such as Mod-PHP, FastCGI, or PHP-FPM.
Additionally, organizations should consider limiting the use of PowerShell and other administrative tools to privileged users, as most campaigns leverage these built-in utilities for malicious purposes.
With ransomware affiliates and initial access brokers actively seeking vulnerabilities like CVE-2024-4577, organizations are advised to implement continuous monitoring and proactive threat hunting to detect potential compromise before more damaging attacks can occur.
IoC Table
| Type | Indicator | Description/Purpose |
|---|---|---|
| Domain | oldschool[.]best | Hosts malware on FTP server |
| IP Address | 159.100.22[.]58 | Quasar RAT host, distributes vulnerable WinRing0 driver |
| IP Address | 185.208.158[.]206 | Bot command server, hosts malicious .msi files |
| IP Address | 176.65.137[.]85 | Nicehash mining pool |
| IP Address | 37.221.65[.]2 | Associated with attack infrastructure |
| IP Address | 176.123.1[.]163 | Associated with attack infrastructure |
| IP Address | 1.255.85[.]176 | Korean webserver hosting XMRig cryptocurrency miner |
| IP Address | 121.78.147[.]213 | Korean webserver hosting XMRig cryptocurrency miner |
| IP Address | 45.138.16[.]118 | Download location for XMRig miner |
| IP Address | 45.138.16[.]130 | Download location for XMRig miner |
| IP Address | 104.21.39[.]74 | Download location for XMRig miner |
| IP Address | 196.251.113[.]139 | Malware distribution point (payload unavailable for analysis) |
| IP Address | 45.77.219[.]82 | Malware distribution point (payload unavailable for analysis) |
| IP Address | 111.173.105[.]60 | Malware distribution point (payload unavailable for analysis) |
| IP Address | 81.161.238[.]139 | Malware distribution point (payload unavailable for analysis) |
| IP Address | 94.156.167[.]166 | Malware distribution point (payload unavailable for analysis) |
| Malicious File | winrig.sys | Malicious driver used to hide mining activity |
| Malicious File | javawindows.exe | Disguised cryptocurrency miner process |
| Malicious File | antivirus.cmd | Deceptively named malicious command script |
| Malicious File | 5118.msi | Malicious MSI installer for botnet deployment |
| Malicious File | dyn[.]php | Malicious PHP script downloaded via FTP |
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post PHP RCE Vulnerability Actively Exploited in Wild to Attack Windows-based Systems appeared first on Cyber Security News.
