Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors

posted by hubie on Wednesday March 12, @09:35AM   Printer-friendly
from the another-day-another-exploit dept.
Security

Fnord666 writes:

The Hacker News has an interesting article on a PHP-CGI RCE flaw that is being exploited in the wild.

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.

"The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday.

"The attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities."

Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan.

[...] "We assess with moderate confidence that the attacker's motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks," Raghuprasad said.

Original Submission


«  Political Poll News Site 538 to Close Amid Larger Shuttering Across ABC and Disney | Where Will the 'Blood Moon' Total Lunar Eclipse be Visible in March 2025?  »
This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Informative) by ls671 on Wednesday March 12, @02:38PM (2 children)

    by ls671 (891) on Wednesday March 12, @02:38PM (#1396137) Homepage

    I run all php behind a mod_security reverse-proxy and it can save your arse a lot of times. Chances are mod_security would have stopped the attack but it could have maybe gotten true as well since I didn't find a proof of concept of the attack. Windows servers only although to be vulnerable.

    Nowadays, it's pretty risky to run any web application without a WAF.

    --
    Everything I write is lies, including this sentence.

    • (Score: 2) by Username on Wednesday March 12, @02:58PM (1 child)

      by Username (4557) on Wednesday March 12, @02:58PM (#1396139)

      The way I read it, it's cgi injection using php scripts. I had no idea you could run php through cgi. I haven't done web stuff in 20 years, but php was it's own thing on apache servers. Had no idea it runs on windows or that windows had a cgibin. Windows was usually asp stuff.

      I'm assuming something was passed via url and wasn't sanitized properly. Cgi-bin/Index.php?p=*injection* sort of thing.

(1)