A recent discovery by researchers has revealed a concerning development in the cyber threat landscape – active attacks from the TellYouThePass ransomware exploiting a recently reported PHP vulnerability. This urgent situation underscores the critical need for users to promptly patch their systems to prevent falling victim to these exploits.
TellYouThePass Ransomware Exploiting PHP Vulnerability
Imperva, in a recent blog post, disclosed that threat actors behind the TellYouThePass ransomware have launched attacks targeting the recently disclosed and patched PHP vulnerability, CVE-2024-4577.
The vulnerability gained attention due to an authentication bypass found in a previous patch for a long-standing code execution flaw. Despite receiving a fix in PHP versions 8.3.8, 8.2.20, and 8.1.29, threat actors wasted no time in exploiting the flaw before users could secure their systems.
Imperva’s researchers observed active exploitation of the vulnerability, directly linked to the TellYouThePass ransomware. The attackers utilized the mshta.exe binary to execute a malicious HTML application, which contained a VBScript that decoded into a binary running in memory.
Further analysis uncovered a .NET variant of the ransomware, demonstrating typical ransomware behavior such as file encryption, communication with a C&C server over HTTP, and the deployment of a ransom note demanding 0.1 BTC.
Despite the release of a patch, the ransomware has already infected numerous systems and websites, highlighting the rapid and widespread impact of such attacks. Users are urged to promptly patch their systems for CVE-2024-4577 and bolster their defenses with robust antimalware solutions and web application firewalls to mitigate similar threats.
Share your thoughts in the comments section below.
