TellYouThePass Ransomware Exploits Recent PHP RCE Flaw to Breach Servers

The notorious TellYouThePass ransomware gang is back in action, exploiting the recently patched CVE-2024-4577 remote code execution (RCE) vulnerability in PHP to infiltrate servers. This flaw, which was patched on June 6, is being leveraged to deploy webshells and execute the ransomware payload on compromised systems.

Swift Exploitation

Just 48 hours after the PHP security updates were released, attacks began on June 8, capitalizing on publicly available exploit code. This rapid exploitation showcases the agility of TellYouThePass, a group known for swiftly adopting public exploits of widely impactful vulnerabilities. Their previous attacks include exploiting an Apache ActiveMQ RCE last November and the infamous Log4j vulnerability in December 2021.

Attack Methodology

In the latest wave of attacks, cybersecurity researchers at Imperva identified that TellYouThePass is using the critical CVE-2024-4577 bug to execute arbitrary PHP code. The attackers employ the Windows mshta.exe binary to run a malicious HTML application (HTA) file. This file contains VBScript, which decodes a base64-encoded string into a binary, loading a .NET variant of the ransomware into the host's memory.

Once executed, the malware communicates with a command-and-control (C2) server disguised as a CSS resource request. It then proceeds to encrypt files on the infected machine and leaves behind a ransom note titled "READ_ME10.html," instructing victims on how to recover their files.

Ransom Demands and Impact

Forum posts on BleepingComputer reveal that since June 8, multiple victims have fallen prey to TellYouThePass, with ransom demands set at 0.1 BTC (approximately $6,700) for the decryption key. One notable victim reported that their website-hosting computer was encrypted, affecting multiple sites.

The Vulnerability

CVE-2024-4577 is a critical RCE vulnerability impacting all PHP versions since 5.x. It arises from unsafe character encoding conversions on Windows when used in CGI mode. Discovered by Devcore's Orange Tsai on May 7 and reported to the PHP team, a fix was delivered on June 6 with the release of PHP versions 8.3.8, 8.2.20, and 8.1.29.

Rapid Spread and Exposure

On June 7, WatchTowr Labs released a proof-of-concept (PoC) exploit code for CVE-2024-4577. That same day, The Shadowserver Foundation observed exploitation attempts on their honeypots. According to Censys, over 450,000 exposed PHP servers could be vulnerable to this RCE flaw, primarily located in the United States and Germany. Wiz cloud security startup estimates that about 34% of these instances might be susceptible.

The TellYouThePass ransomware gang's exploitation of the CVE-2024-4577 vulnerability highlights the critical importance of promptly applying security patches. Organizations running PHP servers should immediately update to the latest versions to mitigate the risk of ransomware attacks and safeguard their systems from such swift and dangerous exploits.

Stay vigilant, keep your systems updated, and ensure robust security measures are in place to protect against emerging threats.