Tag: CVE-2024-4577

9 Attack Reports | 1 Vulnerabilities

Attack reports

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, …
powershell
cobalt strike
persistence
credential theft
CVE-2024-4577
japan
2025-03-06
php-cgi
taowu
Published: March 6, 2025
Downloadable IOCs: 3

PacketCrypt Classic Cryptocurrency Miner on PHP Servers

A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetc…
cryptomining
CVE-2024-4577
php
2025-01-07
packetcrypt
stake-to-earn
Published: January 7, 2025
Downloadable IOCs: 6

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Downloadable IOCs: 10

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The AndroxGh0st malware has expanded its capabilities by incorporating the Mozi botnet to target IoT devices and cloud services. This Python-based tool, known for attacking Laravel applications, now exploits a wider range of vulnerabilities in internet-facing applications. The malware uses remote c…
iot
botnet
wordpress
CVE-2024-4577
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
cloud services
credential stealing
CVE-2022-1040
2024-11-08
mozi
laravel
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
Published: November 8, 2024
Downloadable IOCs: 1

People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations

PRC-linked cyber actors have compromised thousands of Internet-connected devices to create a botnet for malicious activities. Integrity Technology Group, a PRC-based company with government links, has controlled a botnet of over 260,000 devices since mid-2021. The botnet uses Mirai-based malware to…
china
ddos
iot
botnet
cyber espionage
mirai
CVE-2024-29973
CVE-2024-4577
CVE-2024-5217
routers
CVE-2023-3519
CVE-2023-46604
CVE-2023-46747
2024-10-02
CVE-2023-43478
CVE-2023-3852
CVE-2023-36844
network compromise
CVE-2024-29269
CVE-2023-36542
CVE-2023-35885
CVE-2024-21762
CVE-2023-38035
CVE-2023-35843
CVE-2023-37582
CVE-2023-38646
CVE-2023-50386
CVE-2023-47218
Published: October 2, 2024
Downloadable IOCs: 169

New Backdoor Targeting Taiwan Employs Stealthy Communications

A previously undiscovered backdoor malware, Backdoor.Msupedge, has been deployed in an attack against a university in Taiwan. This backdoor utilizes an atypical technique, communicating with a command-and-control server through DNS traffic. It receives commands by resolving structured host names, a…
CVE-2024-4577
2024-08-20
backdoor.msupedge
Published: August 20, 2024
Downloadable IOCs: 3

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Downloadable IOCs: 27

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection
Published: June 11, 2024
Downloadable IOCs: 5
Click here to see more Attack Reports

Vulnerabilities

CVE-2024-4577

9.8
    PHP
  • Version(s): 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8
Published: June 9, 2024
Click here to see more Vulnerabilities