CVE-2024-4577 Exploits in the Wild One Day After Disclosure

July 12, 2024, 6:33 a.m.

Description

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attacker to achieve remote code execution (RCE). This vulnerability is incredibly simple to exploit, and we have observed a wide variety of threat actors taking advantage of the flaw to target vulnerable devices.

External References

https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
https://otx.alienvault.com/pulse/6690421147c0f7d0c5b0abfd
Tags
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection

Date

  • Created: July 11, 2024, 8:35 p.m.
  • Published: July 11, 2024, 8:35 p.m.
  • Modified: July 12, 2024, 6:33 a.m.

Indicators

  • redtail_miner
  • a646ebf85afa29ae1c77458c575b5e4b0b145d813db028435d33b522edccdc0e
  • 9753df3ea4b9948c82310f64ff103685f78af85e3e08bb5f0d0d44047c63c315
  • 19a06de9a8b66196fa6cc9e86824dee577e462cbeaf36d715c8fea5bcb08b54d
  • ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
  • 0d70a044732a77957eaaf28d9574d75da54ae430d8ad2e4049bd182e13967a6f
  • 2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
  • 1ae2fef05798f0f27e9de76fcef0217f282090fab1ba750623ca36b413151434
  • 9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572
  • 185.172.128.93
  • 156.67.218.115
  • 185.201.8.176
  • 86.48.2.49
  • 147.139.29.220
  • 194.59.165.52
  • p.findmeatthe.top
  • p.deutschland-zahlung.eu
Download all indicators here!

Attack Patterns

  • Muhstik
  • RedTail
  • Gh0st RAT
  • XMRig
  • T1120
  • T1091
  • T1571
  • T1547
  • T1082
  • T1057
  • T1071
  • T1027
  • T1112
  • T1056
  • T1003