SoylentNews

Fnord666 [soylentnews.org] writes:

The Hacker News has an interesting article [thehackernews.com]on a PHP-CGI RCE flaw that is being exploited in the wild.

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.

"The attacker has exploited the vulnerability CVE-2024-4577 [thehackernews.com], a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said [talosintelligence.com] in a technical report published Thursday.

"The attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' [github.com] for-post exploitation activities."

Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan.

[...] "We assess with moderate confidence that the attacker's motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks," Raghuprasad said.

Original Submission