Professional Documents
Culture Documents
report-fx-financialetters-cce-sempromo-receiptssl-acc-acceptedx-zone
report-fx-financialetters-cce-sempromo-receiptssl-acc-acceptedx-zone
FortiGuard Labs has observed significant level of exploitation attempts targeting the new PHP vulnerability. The TellYouThePass ransomware gang
has been leveraging CVE-2024-4577, a remote code execution vulnerability in PHP to deliver web shells and deploy ransomware on targeted
systems.
Background CVE-2024-4577 is an argument injection vulnerability in PHP, specifically Windows-based PHP used in CGI mode,
that can be exploited to achieve remote code execution (RCE). This vulnerability is a bypass for the CVE-2012-
1823, which is an older vulnerability affecting PHP. Censys has observed about 458,800 instances of potentially
vulnerable PHP servers as of June 9, 2024.
TellYouThePass ransomware was previously associated with Log4Shell exploitation, targeting Windows and Linux,
and has been active since 2019.
Latest Developments Fortinet customers remain protected through the IPS signature to detect and block the attack attempts targeting
the vulnerability. FortiGuard Labs recommends users apply the most recent patch from the vendor to fully mitigate
any risks.
June 12, 2024: FortiGuard telemetery shows attack attempts targeting 40,000+ unique IPS devices
June 12, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti
Connect Secure and Policy Secure Gateways
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
June 10, 2024: Imperva Threat Research reported on attacker activity leveraging the new PHP vulnerability.
https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/
June 7, 2024: Researchers at watchTowr released a proof-of-concept (PoC) script for CVE-2024-4577 on their
GitHub page.
https://github.com/watchtowrlabs/CVE-2024-4577
June 6, 2024: Patched versions were released by PHP to address this vulnerability.
https://www.php.net/
PROTECT
Countermeasures across the security fabric for protecting assets, data and network from cybersecurity
events:
Reconnaissance
Weaponization
Delivery
AV
FortiSASE FortiWeb
DB 91.08976 DB 91.08976
Vulnerability
FortiClient
DB 1.688
AV (Pre-filter)
Behavior Detection
FortiSandbox
Exploitation
IPS
Installation
Post-execution
FortiEDR
C2
Action
DETECT
Find and correlate important information to identify an outbreak, the following updates are available to raise
alert and generate reports:
IOC
Outbreak Detection
DB 2.00049
Threat Hunting
FortiNDR
FortiAnalyzer FortiClient FortiEDR FortiSIEM
Cloud
Content Update
FortiSIEM
Playbook
FortiSOAR
RESPOND
Develop containment techniques to mitigate impacts of security events:
Automated Response
FortiXDR
Incident
Response
RECOVER
Improve security posture and processes by implementing security awareness and training, in preparation for
(and recovery from) security incidents:
NOC/SOC Training
Train your network and security professionals and optimize your incident response to stay on top of the
cyberattacks.
Response
NSE Training
Readiness
End-User Training
Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download
and other forms of cyberattacks.
Security
Awareness &
Training
IDENTIFY
Identify processes and assets that need protection:
Check Security Fabric devices to build actionable configuration recommendations and key indicators.
Security
Rating
Vulnerability Management
Reduce the attack surface on software vulnerabilities via systematic and automated patching.
FortiClient
Business Reputation
FortiRecon:
BP
Additional Resources
Bleeping Computer https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-
servers/
Censys https://censys.com/cve-2024-4577/