X-Industry

Mass Exploitation of Critical PHP-CGI Vulnerability

Posted by CyberDog on March 13, 2025 at 12:00pm

13517512856?profile=RESIZE_400xCisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577 [1], a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a wider exploitation pattern demanding immediate action from defenders globally.

Attack Overview - According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:
• Initial Access: Exploitation via PHP-CGI vulnerability using HTTP POST requests with MD5 hash e10adc3949ba59abbe56e057f20f883e as a success marker.
• Payloads: PowerShell scripts fetching Cobalt Strike reverse HTTP shellcode (e.g., http://38[.]14[.]255[.]23:8000/payload.ps1).
• C2 Infrastructure: Servers 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba Cloud, with HTTP User-Agent strings mimicking legacy Internet Explorer versions.

GreyNoise Observations - GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports.

13517512875?profile=RESIZE_400xAttack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.
GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone.
While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:
13517513501?profile=RESIZE_710xOver 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China.
In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.

Block Malicious IPS: https://viz.greynoise.io/tags/php-cve-2024-4577-rce-attempt?_ga=2.212639504.567397745.1741618063-226798063.1741618060
13517514296?profile=RESIZE_400x

Identify and block malicious IPs actively targeting CVE-2024-4577.

Suggested Defenses: Organizations with internet-facing Windows systems exposing PHP-CGI, especially those in these newly identified targeted regions, should follow Cisco Talos' guidance and perform retro-hunts to identify similar exploitation patterns.

Read the Cisco Talos report here: https://blog.talosintelligence.com/new-persistent-attacks-japan/

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

https://viz.greynoise.io/tags/php-cve-2024-4577-rce-attempt?_ga=2.20787260.567397745.1741618063-226798063.1741618060
https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerability-cve-2024-457

Views: 47
Tags: ir-25-070-001, greynoise, php-cgi vulnerability, payloads, cve-2024-4577, php-cgi
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!