PHP Vulnerability (CVE-2024-4577) Actively Exploited in TellYouThePass Ransomware Attacks

TellYouThePass Ransomware
Image: Imperva Threat Research

The cybersecurity world is on high alert following the discovery of a critical vulnerability (CVE-2024-4577) in PHP, a widely-used scripting language for web development. This vulnerability is currently being actively exploited by malicious actors in a widespread ransomware campaign known as “TellYouThePass.”

The vulnerability, first identified by Devcore Principal Security Researcher Orange Tsai on May 7, 2024, stems from an oversight in character encoding conversions on Windows systems. Exploiting this flaw allows attackers to bypass previous security measures and execute arbitrary code on vulnerable PHP servers.

This vulnerability affects all versions of PHP for Windows, including unsupported End-of-Life versions. Imperva Threat Research has reported observing this vulnerability being used as early as June 8th to deliver TellYouThePass ransomware.

TellYouThePass has been a persistent threat since 2019, targeting businesses and individuals alike. This ransomware has evolved over time, leveraging various vulnerabilities such as Apache Log4j (CVE-2021-44228) and others to infect systems.

In recent attacks, the ransomware has been delivered through a complex chain of events. Attackers leverage CVE-2024-3577 to execute arbitrary PHP code, which then runs an HTML application file hosted on an attacker-controlled server. This file ultimately delivers a .NET variant of the TellYouThePass ransomware.

Image: Imperva Threat Research

The attackers use the exploit for CVE-2024-4577 to execute arbitrary PHP code on target systems. This code uses the “system” function to run an HTML application file hosted on an attacker-controlled web server via the mshta.exe binary. Mshta.exe, a native Windows binary, allows the execution of remote payloads, highlighting the attackers’ “living off the land” strategy.

Immediate action is crucial for organizations and individuals using PHP. Those using supported PHP versions should upgrade to the latest patched versions: PHP 8.3.8, PHP 8.2.20, or PHP 8.1.29.

For systems that cannot be immediately upgraded or those using End-of-Life versions, a temporary mitigation involves applying a mod_rewrite rule to block attacks.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]