Ransomware, Patch/Configuration Management, Third-party code

PHP flaw exploited by TellYouThePass ransomware campaign

Real Php code developing screen. Programing workflow abstract algorithm concept. Lines of Php code visible under magnifying lens.

Attackers were observed leveraging a critical remote execution vulnerability in PHP to compromise servers and deploy malware that’s part of a TellYouThePass ransomware campaign.

In a June 10 blog post, Imperva Threat Research said they found attackers exploiting the high-severity PHP flaw — CVE-2024-4577 — as early as June 8, just a day or two after PHP's maintainers released a patch.

PHP operates as a free, open-source, server-side scripting language that's used to create dynamic web pages. It powers more than 75% of all websites where the server-side programming can be discerned.  

Because many types of enterprises depend on PHP installations to run their websites and attackers can easily move laterally once they gain entry, the Imperva researchers said security teams should patch right away.

TellYouThePass ransomware has been active since 2019 attacking businesses and individuals in campaigns that target both Windows and Linux systems. It’s best known for leveraging CVE-2021-44228, the Apache Log4j flaw, and has also been seen using CVE-2023-46604.

Most security teams know all too well that cybercriminals closely monitor public disclosures and proof-of-concept releases to act swiftly on any vulnerability they can easily exploit, explained Darren Guccione, co-founder and CEO of Keeper Security. Cybercriminals aim to gain unauthorized access to systems through unpatched PHP installations with vulnerabilities like CVE-2024-4577, he continued.

“Once inside, they move laterally across the network to compromise additional systems and locate valuable data,” said Guccione. “To protect themselves from exploits like the TellYouThePass ransomware, security teams must immediately apply new security updates as soon as they are released to minimize the window of opportunity for attackers.”

Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, added that on paper, it’s a simple job: just apply the patch. While many enterprises will do that, Sarkar said there's a catch: PHP is one of the most popular server-side scripting languages used to create dynamic web pages to complex applications. Enterprises that have deployed PHP-based applications in real-time especially those with lesser security focus will be vulnerable.

“Especially those that may not have planned for staging environments to patch PHP vulnerabilities quickly,” said Sarkar, who said teams need to consider a microsegmentation approach.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.