Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.
affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing
https://censys.com/cve-2024-4577-pt2/
This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default
The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday.
Censys researchers said that the exploitation by the TYTP gang started on June 7 and mirrored past incidents that mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server.
“Given that XAMPP is vulnerable by default, it’s reasonable to guess that most of the infected systems are running XAMPP,” the researchers said. This Censys query lists the infections that are explicitly affecting the platform.
/nosanitize
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=%28services%3A+%28http.response.body%3A%7B%22READ_ME9.html%22%2C+%22READ_ME10.html%22%2C+%22READ_ME11.html%22%7D+and+http.response.body%3A%22%2A.locked%2A%22%29%29+and+services.software.product%3D%60XAMPP+Server%60
The researchers aren’t aware of any specific platforms other than XAMPP that have been compromised.