SoylentNews is people
SoylentNews
The Hacker News has an interesting article on a PHP-CGI RCE flaw that is being exploited in the wild.
Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.
"The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday.
"The attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities."
Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan.
[...] "We assess with moderate confidence that the attacker's motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks," Raghuprasad said.
(Score: 2) by Username on Wednesday March 12, @02:58PM (1 child)
The way I read it, it's cgi injection using php scripts. I had no idea you could run php through cgi. I haven't done web stuff in 20 years, but php was it's own thing on apache servers. Had no idea it runs on windows or that windows had a cgibin. Windows was usually asp stuff.
I'm assuming something was passed via url and wasn't sanitized properly. Cgi-bin/Index.php?p=*injection* sort of thing.
(Score: 1, Informative) by Anonymous Coward on Wednesday March 12, @06:45PM
There's fancy voodoo you can do with paths on windows if you know how that can be used escape sanitation attempts: https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ [orange.tw]