TL;DR: The recently disclosed CVE-2024-4577 PHP vulnerability has been rapidly weaponized by the TellYouThePass ransomware gang to breach servers and encrypt files since around June 7th. Censys has published a live dashboard tracking publicly exposed infected hosts, observing around 1,000 as of June 13th, primarily geolocated in China.
We first wrote about this issue in an advisory published on June 10, 2024: https://censys.com/cve-2024-4577/.
This blog will expand upon the evolving exploitation of this vulnerability, the TellYouThePass campaign, and our observations regarding compromised hosts.
Executive Summary
- CVE-2024-4577 is a critical remote code execution (RCE) vulnerability affecting all versions of PHP. Per the original advisory, it allows unauthenticated attackers to execute arbitrary code on vulnerable PHP servers under one of the following configurations:
- Running PHP under CGI mode
- Exposing the PHP binary in the CGI directory – which happens to be the default configuration in XAMPP, a popular Apache web server stack package
- The TellYouThePass ransomware gang has been actively exploiting this flaw since around June 7, 2024 to distribute ransomware. This campaign mirrors past ransomware incidents where gangs opportunistically mass scan the internet for vulnerable systems following a high-profile vulnerability, indiscriminately targeting any accessible server.
- Censys published a dashboard tracking publicly exposed hosts infected with TellYouThePass ransomware over time:
- The first victim exposing ransomware artifacts appeared in our scans on June 8, aligning with observations from Imperva
- There are now around 1,000 compromised hosts online as of June 13, primarily in China, after the initial surge peaking near 1,800 hosts by June 10. This number could be higher if the compromised servers do not have directory indexing configured.
- The disproportionate exploitation observed in China is likely because Windows systems with Chinese or Japanese locales are inherently vulnerable due to their default XAMPP configuration.
- The ransomware appears to alter the service to an open directory, encrypt files, and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).
- The ransom notes are nearly identical and demand 0.1 BTC.
- Prompt patching is the best way to mitigate the risk of exploitation, as well as upgrading to use the more secure Mod-PHP, FastCGI, or PHP-FPM in place of the outdated PHP-CGI
- Censys Search query for compromised hosts: services: (http.response.body:{“READ_ME9.html”, “READ_ME10.html”, “READ_ME11.html”} and http.response.body:”*.locked*”).
Background
CVE-2024-4577 is a command injection vulnerability in all unpatched versions of PHP that can be remotely exploited under certain circumstances. It stems from unsafe character encoding conversions that can bypass the protections put in place to mitigate CVE-2012-1823.
The researchers behind this CVE have noted that one popular project, XAMPP for Windows, runs one of these vulnerable configurations by default. XAMPP is a popular open source Apache distribution package for developing web servers.
TellYouThePass is a ransomware gang that’s been active since 2019, known for rapidly exploiting widespread vulnerabilities like Log4Shell and Apache ActiveMQ flaws. They’ve been known to target both businesses and individuals across Windows and Linux systems.
This campaign follows a pattern that we have seen play out before: a critical vulnerability affecting a large number of internet-exposed servers attracts the attention of opportunistic threat actors, and the result is a mass exploitation campaign targeting vulnerable servers that are the easiest to find online, no matter who they belong to or what they are.
It’s likely that many of these compromises may be personal web servers or forgotten systems that are no longer actively maintained. And similar to previous ransomware incidents we’ve tracked like ESXiargs (February 2023) and Deadbolt QNAP NAS (January 2022), the ransomware notes from this campaign are likely to persist on affected systems for an extended period, potentially years, until the systems are eventually decommissioned.
While CVE-2024-4577 is critical and actively exploited, the specific circumstances required for a system to be vulnerable, and the relatively low sophistication of the ransomware being deployed, suggest that the impact may be limited to a subset of systems that meet the vulnerability criteria (Japanese or Chinese language locales, and the ability to inject arguments that are passed directly to the PHP binary in some manner (i.e., PHP-CGI)).
Organizations and individuals should prioritize patching and securing their systems, particularly those running Windows PHP with Chinese or Japanese locales.
Timeline of Events
- May 7: CVE-2024-4577 vulnerability discovered and reported to the PHP team
- June 6: PHP releases security updates (versions 8.3.8, 8.2.20, and 8.1.29) to address the flaw (https://www.php.net/downloads)
- June 7: Proof-of-concept exploit code for CVE-2024-4577 published
- June 7-8: TellYouThePass ransomware gang begins exploiting the vulnerability, with the first victim reported
- June 8: Using historical data, Censys observed the first set of compromised TellYouThePass hosts
- June 10: Imperva reports on the exploitation of CVE-2024-4577 to distribute TellYouThePass ransomware
- June 13: Censys published a live dashboard tracking publicly exposed infected hosts
Censys Findings
TellYouThePass Infection Artifacts
From our scanning perspective, the ransomware appears to change the look of a service to an open directory (if the server has been configured to enable directory indexing), which leaks the filesystem of the configured service.
By analyzing these directory listings, we observe that the ransom tool first encrypts each file into a dot-locked (.locked) file, then removes the original unencrypted file, and finally adds one or more ransom notes following the naming convention of “READ_ME[0-9]+.html”. The following screenshots illustrate this:
Service as observed by Censys on Jun 07, 2024 05:32 AM UTC – before compromise
Service as observed by Censys on Jun 08, 2024 03:49 PM UTC – after compromise
This historical diff can also be viewed more precisely in Censys Search: https://search.censys.io/hosts/202.61.85.104/diff?at_time=2024-06-07T05%3A32%3A44.485Z&at_time_b=2024-06-08T15%3A49%3A43.302Z
So far, we have identified three distinct ransom notes associated with this recent wave of exploitation: READ_ME9.html, READ_ME10.html, and READ_ME11.html.
The ransomware notes associated with this threat actor share nearly identical content, with the exception of a dynamic ID assigned to each victim. The ransom demand specified in the notes is 0.1 BTC, which currently equates to around ~6.6k-6.7k USD (based on the current Bitcoin exchange rate).
Example Ransomware Note Contents
The provided Bitcoin address for ransom payment is: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l.
Upon examining the transaction history of this wallet, the most recent transfer appears to have been made on April 27, 2024, but this was transferring money from this to another wallet (bc1qytcntagd9wqur4fmnqpjmp2s4n8kgzd49c7qlf) , and the money that was there before had not been touched since March 22, 2024. It doesn’t immediately seem like ransoms are being actively paid to this address for this campaign.
Transaction History for TellYouThePass Bitcoin address.
Censys Search query for compromised hosts: services: (http.response.body:{“READ_ME9.html”, “READ_ME10.html”, “READ_ME11.html”} and http.response.body:”*.locked*”).
Tracking TellYouThePass Infections
We have published a live dashboard tracking publicly exposed hosts infected with TellYouThePass ransomware. As of June 13th, we currently observe around 1,000 infected hosts online.
Censys observed a rapid increase in the number of infected hosts exposing TellYouThePass ransomware notes, starting from zero on June 7th. The following days saw a significant surge:
- June 8: Around 670 infected hosts, displaying a combination of “READ_ME9” and “READ_ME10” notes, with “READ_ME9” being more prevalent.
- June 9: Nearly 1,700 infected hosts exposed.
- June 10: Approximately 1,800 infected hosts exposed.
- June 11: The number of exposed infected hosts starts to drop, going down to about 1700 again
- June 12: Censys detected a new wave of infections with a different ransom note: “READ_ME11”.
- June 13: The number of exposed infected hosts has continued to gradually decrease, with around 1,000 hosts still online as of June 13th.
Over half of these compromises appear to be in China. This aligns with observations in the original security advisory by Taiwanese red team company DEVCORE that XAMPP installations on Windows systems running in Traditional Chinese, Simplified Chinese, or Japanese locales are configured to expose the PHP executable binary in the CGI directory by default, rendering them vulnerable to CVE-2024-4577 by default.
While the recent wave of attacks primarily involves ransom notes numbered 9 through 11, Censys has also observed a small number of hosts exposing two lower numbered ransomware notes: READ_ME1.html and READ_ME4.html (Search query). It’s possible that these are remnants from earlier TellYouThePass exploitation campaigns.
Researchers at Arctic Wolf have suggested that READ_ME4.html in particular could be associated with the November 2023 campaign targeting vulnerable Apache ActiveMQ instances.
In line with this hypothesis, Censys has identified indications of ActiveMQ instances on a few of the hosts exposing the READ_ME4.html file, potentially linking them to the previous ActiveMQ-focused attacks.
Example Directory Listing on a Host exposing a READ_ME4.html ransom note and an ActiveMQ-related Service
Characterizing the Infected Hosts
As mentioned earlier in this post, from our scanning perspective, the ransomware appears to change the underlying PHP service to present an open directory that exposes the internal filesystem of the compromised host.
While analyzing these directory listings, we observed a 9.0M file named help.scr on 78 compromised hosts, which caught our attention. SCR files, short for “Screensaver” files, are executable files commonly used to distribute malware. These files can contain malicious code disguised as a screensaver or other seemingly benign program, making them a common vector for threat actors to deliver malicious payloads.
It’s initially unclear whether these help.scr files were present on the hosts prior to the compromise or if they were dropped by the TellYouThePass campaign.
Example 1: Directory Listing Exposing a help.scr file
On one of the compromised hosts, depicted in the screenshot above, the timestamp reported for help.scr is 2023-11-30 13:09, which aligns with the timing of the November 2023 wave of ActiveMQ exploitation by TellYouThePass. This could suggest that the file is a relic from that infection, but it’s also possible that it’s completely unrelated to the TellYouThePass campaign.
Let’s look at another example.
Example 2: Directory Listing Exposing a help.scr file
On this host, the timestamp on help.scr is June 11, 2024, which lines up with the timeline of the current campaign. This is another indication that the file might be related to the ransomware, but it remains speculative.
Upon examining some of these file paths in the URLhaus database, many of them have been reported and associated with the “TellYouThePass” tag as of today, June 14, 2024 (https://urlhaus.abuse.ch/browse/tag/TellYouThePass/).
Further analysis is required to conclusively determine the file’s origin and how it’s potentially being leveraged.
Censys Search query for compromised directory listings exposing a help.scr file: services: (http.response.body:{“READ_ME9.html”, “READ_ME10.html”, “READ_ME11.html”} and http.response.body:”*.locked*” and http.response.body:”*help.scr*”)
What can be done?
This particular campaign appears to just be indiscriminately scanning the internet for vulnerable PHP servers, exploiting them regardless of the owner or the nature of the website. That opportunistic behavior suggests that the attackers are likely not targeting specific organizations or individuals, but simply attempting the exploit against easily identifiable vulnerable servers.
With that said, it’s strongly recommended to update your PHP version promptly and switch to a more secure alternative to PHP-CGI.
References:
