PHP RCE Attack

Actively targeted by ransomware

https://www.openwall.com/lists/oss-security/2024/06/07/1
CVEs: CVE-2024-4577

FortiGuard Labs has observed significant level of exploitation attempts targeting the new PHP vulnerability. The TellYouThePass ransomware gang
has been leveraging CVE-2024-4577, a remote code execution vulnerability in PHP to deliver web shells and deploy ransomware on targeted
systems.

Background CVE-2024-4577 is an argument injection vulnerability in PHP, specifically Windows-based PHP used in CGI mode,
that can be exploited to achieve remote code execution (RCE). This vulnerability is a bypass for the CVE-2012-
1823, which is an older vulnerability affecting PHP. Censys has observed about 458,800 instances of potentially
vulnerable PHP servers as of June 9, 2024.

TellYouThePass ransomware was previously associated with Log4Shell exploitation, targeting Windows and Linux,
and has been active since 2019.

Latest Developments Fortinet customers remain protected through the IPS signature to detect and block the attack attempts targeting
the vulnerability. FortiGuard Labs recommends users apply the most recent patch from the vendor to fully mitigate
any risks.

June 12, 2024: FortiGuard telemetery shows attack attempts targeting 40,000+ unique IPS devices

June 12, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti
Connect Secure and Policy Secure Gateways
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

June 10, 2024: Imperva Threat Research reported on attacker activity leveraging the new PHP vulnerability.
https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/

June 7, 2024: Researchers at watchTowr released a proof-of-concept (PoC) script for CVE-2024-4577 on their
GitHub page.
https://github.com/watchtowrlabs/CVE-2024-4577

June 6, 2024: Patched versions were released by PHP to address this vulnerability.
https://www.php.net/

PROTECT
Countermeasures across the security fabric for protecting assets, data and network from cybersecurity
events:

Reconnaissance

Weaponization

Delivery

AV

Detects known malware related to the Outbreak

FortiADC FortiCASB FortiCWP FortiClient FortiGate FortiMail FortiProxy

DB 91.08976 DB 91.08976 DB 91.08976 DB 91.08976 DB 91.08976 DB 91.08976 DB 91.08976

FortiSASE FortiWeb

DB 91.08976 DB 91.08976

Vulnerability

Detects end-user devices running the vulnerable application.

FortiClient

DB 1.688

AV (Pre-filter)

Detects known malware related to the Outbreak

FortiEDR FortiNDR FortiSandbox

DB 91.08976 DB 91.08976 DB 91.08976

Behavior Detection

Detects unknown malware related to PHP RCE Attack

FortiSandbox

Exploitation

IPS

Detects and blocks attack attempts leveraging the vulnerability

FortiADC FortiGate FortiNDR FortiProxy Freconaci FortiSASE

DB 28.803 DB 28.803 DB 28.803 DB 28.803 DB 28.803 DB 28.803

Installation

Post-execution

FortiEDR

C2

Action

DETECT
Find and correlate important information to identify an outbreak, the following updates are available to raise
alert and generate reports:

IOC

FortiAnalyzer FortiSOCaaS FortiSIEM

Outbreak Detection

FortiAnalyzer FortiSIEM FortiSOAR

DB 2.00049

Threat Hunting

FortiNDR
FortiAnalyzer FortiClient FortiEDR FortiSIEM
Cloud

Content Update

FortiSIEM

Playbook

FortiSOAR

RESPOND
Develop containment techniques to mitigate impacts of security events:

Automated Response

Services that can automaticlly respond to this outbreak.

FortiXDR

Assisted Response Services

Experts to assist you with analysis, containment and response activities.

Incident
Response

RECOVER
Improve security posture and processes by implementing security awareness and training, in preparation for
(and recovery from) security incidents:

NOC/SOC Training

Train your network and security professionals and optimize your incident response to stay on top of the
cyberattacks.

Response
NSE Training
Readiness

End-User Training

Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download
and other forms of cyberattacks.

Security
Awareness &
Training

IDENTIFY
Identify processes and assets that need protection:

Attack Surface Hardening

Check Security Fabric devices to build actionable configuration recommendations and key indicators.

Security
Rating

Vulnerability Management

Reduce the attack surface on software vulnerabilities via systematic and automated patching.

FortiClient

Business Reputation

Know attackers next move to protect against your business branding.

FortiRecon:
BP

Additional Resources
Bleeping Computer https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-
servers/

Censys https://censys.com/cve-2024-4577/

Learn more about FortiGuard Outbreak Alerts