A significant security vulnerability, identified as CVE-2024-4577, has been discovered in PHP servers, primarily impacting Windows systems using Chinese and Japanese language locales. This PHP CGI Argument Injection flaw allows attackers to achieve remote code execution (RCE) on vulnerable servers, which could lead to a variety of malicious actions. The vulnerability was initially identified by security researcher Orange Tsai in June 2024, with further research and a proof-of-concept exploit shared by Watchtwr Labs.
The flaw has quickly gained attention from threat actors, who have already attempted to exploit it in the wild. Attackers have leveraged this vulnerability to deploy several types of malware, including the Gh0st RAT, RedTail cryptominers, and XMRig. Additionally, the exploitation of this vulnerability has been used to inject the PacketCrypt Classic Cryptocurrency Miner into affected PHP servers, enabling malicious actors to hijack server resources for cryptocurrency mining purposes.
A researcher from Watchtwr Labs, Yee Ching Tok, investigated the exploitation of the vulnerability, noting that it appears to target poorly configured PHP servers with unrestricted access to php-cgi.exe. The exploitation process begins with the retrieval of a secondary file, pkt1.exe, which then installs additional components, including the PacketCrypt miner. These components connect to a wallet address to facilitate the mining operation, potentially draining server resources and affecting server performance.
This incident serves as a reminder for PHP server administrators to ensure their systems are regularly updated and patched against known vulnerabilities. The exploitation of CVE-2024-4577 highlights the importance of auditing web servers for security flaws and taking proactive measures to prevent crypto mining operations and other forms of unauthorized activity. Organizations should apply security patches as soon as they become available to safeguard their systems from exploitation.
