A newly discovered remote code execution (RCE) vulnerability in PHP’s CGI implementation on Windows, CVE-2024-4577, is being actively exploited in targeted cyberattacks. The flaw allows attackers to execute arbitrary commands remotely, compromising servers running vulnerable PHP-CGI configurations.
The attacks, primarily observed in technology, telecommunications, education, entertainment, and e-commerce sectors, have involved sophisticated post-exploitation techniques. Once attackers gain an initial foothold, they deploy malicious PowerShell scripts to install backdoors and establish long-term access. Cobalt Strike, a widely used penetration testing tool often abused by cybercriminals, has been identified as a key component in these operations.
To escalate privileges and maintain control over infected machines, attackers are using a range of advanced tools, including JuicyPotato, RottenPotato, and Mimikatz—allowing them to extract credentials, move laterally within networks, and execute code with system-level privileges. Additional tactics include modifying Windows registry keys, scheduling malicious tasks, and deploying customized Cobalt Strike plugins to evade detection.
One alarming aspect of this campaign is the use of cloud-based command-and-control (C2) servers, particularly those hosted on major cloud providers. Attackers have been seen leveraging BeEF (Browser Exploitation Framework), Viper C2, and Blue-Lotus, signaling a high level of sophistication in orchestrating these breaches.
To avoid detection, the attackers systematically erase event logs, making forensic investigation challenging. This method ensures that compromised organizations struggle to trace the full extent of the intrusion.
How to Protect Against CVE-2024-4577 Exploits
- Apply Security Patches: Organizations running PHP-CGI must update their PHP versions immediately to mitigate this vulnerability.
- Restrict PHP-CGI Usage: If not required, disable PHP-CGI execution on servers to eliminate attack vectors.
- Monitor for Suspicious Activity: Security teams should track PowerShell executions, unauthorized privilege escalations, and unexpected registry changes.
- Enhance Threat Detection: Deploy endpoint detection and response (EDR) solutions to detect Cobalt Strike payloads and other post-exploitation frameworks.
With the growing sophistication of cyber threats targeting widely used software, organizations must remain vigilant and act quickly to defend against such exploits.
