The Akamai Security Intelligence Response Team (SIRT) has warned about exploiting a critical PHP vulnerability, CVE-2024-4577. Multiple threat actors exploit this flaw to deliver various malware families, including Gh0st RAT, RedTail crypto miners, and XMRig.
Rapid Exploitation Timeline
Akamai researchers observed exploit attempts targeting this PHP vulnerability on their honeypot network within 24 hours of its disclosure. This rapid exploitation underscores the ongoing trend of shrinking timelines between vulnerability disclosure and active attacks.
Understanding CVE-2024-4577
CVE-2024-4577 is a PHP-CGI OS Command Injection Vulnerability with a critical CVSS score of 9.8. The flaw resides in the Best-Fit feature of encoding conversion within the Windows operating system. Attackers can exploit this vulnerability to bypass protections for a previous flaw, CVE-2012-1823, using specific character sequences.
Impact and Exploitation
Successful exploitation allows attackers to execute arbitrary code on remote PHP servers through an argument injection attack. This can lead to complete control of vulnerable servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-4577 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its severity.
Observed Malware Campaigns
Gh0st RAT
Akamai detected attempts to deliver Gh0st RAT, an open-source remote access tool with a history spanning over 15 years. The malware exhibits various behaviors, including drive enumeration, peripheral queries, and registry access.
RedTail Cryptominer
Within days of its disclosure, a RedTail crypto mining operation was observed exploiting CVE-2024-4577. The attack involves downloading and executing a shell script that retrieves the RedTail crypto-mining malware.
Muhstik Botnet
Researchers identified threat actors behind the Muhstik DDoS botnet exploiting this vulnerability. The botnet targets IoT devices and Linux servers for crypto mining and DDoS purposes, communicating via Internet Relay Chat.
XMRig Campaign
Another campaign abuses the exploit to deliver XMRig, a popular cryptocurrency mining software. The attack uses PowerShell to download and execute a script that sets up XMRig from a remote mining pool, followed by cleanup procedures for obfuscation.
Mitigation Strategies
Organizations are strongly advised to apply necessary patches promptly. Akamai customers using the Adaptive Security Engine in automatic mode with the Command Injection Attack group set to Deny have mitigations automatically enabled against these types of attacks.
Specific Mitigation Rules
For customers using Adaptive Security Engine in manual mode, Akamai recommends validating that the following rules are in Deny mode:
- 969151 v1 — PHP Injection Attack (Opening Tag)
- 959977 v1 — PHP Injection Attack (Configuration Override)
- 3000155 v1 — CMD Injection Attack Detected (PHP/Data Filter Detected)
- 3000171 v3 — Webshell/Backdoor File Upload Attempt
