The notorious TellYouThePass ransomware gang exploits a critical remote code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads.
The flaw, tracked as CVE-2024-4577, allows unauthenticated attackers to execute arbitrary code on vulnerable PHP installations.
Imperva researchers discovered that the TellYouThePass ransomware operators began exploiting this high-severity PHP bug mere hours after a proof-of-concept (PoC) exploit was publicly released on June 10, 2024.
The threat actors target exposed PHP servers to gain initial access and move laterally through victims’ networks before encrypting files and demanding ransom payments.
Malicious HTML Application
“The rapid weaponization of CVE-2024-4577 by the TellYouThePass ransomware group underscores the critical need for organizations to patch their PHP deployments without delay,” warned the Imperva research team. “We expect other threat actors to quickly adopt this exploit as part of their attack chains.”
PHP developers have released security updates addressing the RCE vulnerability in versions 8.2.7, 8.1.19, and 7.4.33. System administrators are strongly urged to upgrade their PHP installations to the latest patched releases to mitigate the risk of compromise.
The TellYouThePass ransomware first emerged in late 2021. It exploited the infamous Log4Shell vulnerability to infect Windows and Linux systems.
In 2022, the malware was rewritten in the Go programming language, enabling the operators to more easily target multiple operating systems, including macOS.
More recently, in November 2023, TellYouThePass was observed exploiting a critical RCE flaw (CVE-2023-46604) in Apache ActiveMQ message broker servers to breach and encrypt victims’ data.
Arctic Wolf security researchers found evidence linking the TellYouThePass gang to HelloKitty ransomware attacks leveraging the same ActiveMQ vulnerability.
With this latest PHP exploitation campaign, the TellYouThePass ransomware actor continues to demonstrate its ability to incorporate newly disclosed vulnerabilities into its attack toolkit rapidly.
Organizations running PHP in their environments must prioritize patching CVE-2024-4577 to defend against these evolving ransomware threats.
IoCs
URL: hxxp:/88.218.76[.]13/dd3.htaC2 IP: 88.218.76[.]13Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53Bitcoin Wallet address: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l
**Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:** [**Try Free Demo**](https://www.cynet.com/?utm_source=cyber_security_news&utm_medium=sponsored_article&utm_campaign=Q2-sponsored-webinars)
