Recently Patched PHP Flaw Under Attack By TellYouThePass Ransomware

Researchers have detected active attacks from TellYouThePass ransomware that exploits the recently reported PHP flaw. The active exploits make it even more urgent for the users to patch their systems at the earliest.

TellYouThePass Ransomware Began Exploiting PHP Flaw In Recent Campaigns

According to a recent blog post from Imperva, threat actors behind the TellYouThePass ransomware have started attacking the recently disclosed and patched PHP vulnerability CVE-2024-4577.

This vulnerability recently came into the limelight after researchers discovered an authentication bypass in a previous patch for a 12-year-old code execution flaw. Following the bug report, the vulnerability received a fix with PHP versions 8.3.8, 8.2.20, and 8.1.29. However, the threat actors quickly exploited the flaw before users could patch it.

According to Imperva, their researchers detected active exploitation of the flaw soon after its disclosure, which they could link back to the TellYouThePass ransomware.

In this campaign, the attackers exploit the vulnerability using the mshta.exe binary to run a malicious HTML application. This malicious file includes a VBScript, which then decodes into a binary that loads into memory during runtime.

Analyzing this binary made the researchers find a .NET variant of the ransomware that exhibits the core functionalities. It communicates via HTTP with its C&C, encrypts the files on the infected machine, and places the ransom note that demands 0.1 BTC as ransom.

Since the beginning of this campaign, the ransomware has infected numerous systems and websites. While the patch has already been deployed, the extensive impact of this campaign on multiple systems and sites demonstrates how fast the attackers are to attack vulnerable targets.

To avoid ransomware attacks and other threats, users must rush to patch their systems for CVE-2024-4577. Moreover, users must ensure equipping their systems with robust antimalware programs, and deploying web application firewalls (WAFs) on their sites to prevent similar threats.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

1 comment

Elena Thomas June 28, 2024 - 7:16 pm
Urgent security alert! The recently patched PHP flaw is under attack by TellYouThePass ransomware.

Comments are closed.

Add Comment