Blog

Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.

As of Thursday, Internet scans by security firm Censys had found 1,000 servers infected with the ransomware known as TellYouThePass, down from 1,800 found on Monday. Servers primarily located in China no longer display their usual content; instead, many list the site’s file directory, which indicates that all files have been given a .locked extension, indicating that they are encrypted. An accompanying ransom note demanded approximately $6,500 in exchange for the decryption key.

When opportunity knocks

The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters to ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user input into characters that transmit malicious commands to the underlying PHP application. The exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

CVE-2024-4577 affects PHP only when running in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP is not set to CGI mode, however, the vulnerability can still be exploited when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible from the web server. This configuration is extremely rare, except for the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale – used to customize the operating system to the user’s local language – must be set to Chinese or Japanese.

The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threats exploited it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the Windows mshta.exe binary to execute an HTML application file hosted on a server controlled by an attacker. The use of the binary shows an approach known as living off the ground, where attackers use native operating system features and tools in an attempt to blend in with normal, non-malicious activity.

In a post released Friday, Censys researchers said the exploit by the TellYouThePass gang began on June 7 and echoes past incidents that opportunistically mass-scan the Internet for vulnerable systems after a high-profile vulnerability and indiscriminate targeting of any accessible server. The majority of infected servers have IP addresses geolocated in China, Taiwan, Hong Kong or Japan, possibly resulting from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email .

Since then, the number of infected sites – detected by monitoring the public HTTP response serving an open directory listing showing the server’s file system along with the distinctive file naming convention in the ransom note – has ranged from a low of 670 on June 8 to a high 1800 on Monday.

Censys researchers said in an email that they’re not entirely sure what’s causing the changing numbers.

“From our perspective, it appears that many of the compromised hosts remain online, but the port running the PHP-CGI or XAMPP service stops responding – hence the drop in detected infections,” they wrote. “Another point to note is that there are currently no observed ransom payments to the single Bitcoin address listed in the ransom notes (source). Based on these facts, our intuition is that this is likely the result of these services being decommissioned or taken offline in some other way.”

XAMPP used in production, really?

The researchers go on to say that roughly half of the observed compromises show clear signs of running XAMPP, but that estimate is likely an underestimate, as not all services explicitly show what software they’re using.

“Given that XAMPP is vulnerable by default, it is reasonable to assume that most of the infected systems are running XAMPP,” the researchers said. This Censys request lists the infections that specifically affect the platform. The researchers are not aware of any specific platforms other than XAMPP that have been compromised.

The discovery of compromised XAMPP servers surprised Will Dorman, a senior vulnerability analyst at security firm Analysis, because XAMPP maintainers specifically say their software is not suitable for production systems.

“People who choose to use non-production software must deal with the consequences of that decision,” he wrote in an online interview.

Although XAMPP is the only platform confirmed to be vulnerable, people running PHP on any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine if they were targeted in the attacks.