A significant security vulnerability in PHP, identified as CVE-2024-4577, is being actively exploited by cybercriminals to spread cryptocurrency miners and remote access trojans like Quasar RAT. This flaw primarily affects Windows systems running PHP in CGI mode, allowing hackers to execute arbitrary code. Bitdefender reported a surge in exploitation attempts, notably in Taiwan, Hong Kong, and Brazil. Many attacks involve system reconnaissance, with a portion leading to the deployment of miners disguised as legitimate applications. Additionally, some attacks are aimed at modifying firewall settings to block rival cryptojacking groups. To protect against these threats, users are urged to update their PHP installations and restrict the use of tools like PowerShell to administrators only.
Recent investigations show that cybercriminals are taking advantage of a serious flaw in PHP, specifically CVE-2024-4577, to deploy harmful cryptocurrency miners and remote access trojans like Quasar RAT. This vulnerability affects Windows systems running in CGI mode, enabling attackers to execute arbitrary code remotely.
According to cybersecurity experts from Bitdefender, there has been a notable increase in exploitation attempts since late last year. The majority of these attacks have been concentrated in Taiwan, Hong Kong, and Brazil.
About 15% of these attacks involve basic checks for vulnerabilities, while others focus on gathering system information through reconnaissance efforts. Martin Zugec, a technical director at Bitdefender, pointed out that around 5% of the identified attacks led to the installation of the XMRig cryptocurrency miner. Some are disguised to appear like legitimate applications to evade detection.
Furthermore, attackers are modifying firewall settings on compromised servers to stop other malicious IPs, indicating possible turf wars among different hacking groups. This behavior aligns with past observations of cryptojacking attacks terminating rival miner processes before deploying their own tools.
In response to these developments, experts recommend that users update their PHP installations and limit the use of tools like PowerShell to trusted users only. As cyber threats evolve, staying ahead with the latest security measures is essential for all organizations.
For more information on protecting against cryptojacking and related threats, follow us on Twitter and LinkedIn for updates.
What is the PHP flaw being exploited?
Hackers are taking advantage of a serious problem in PHP, which is a programming language used for building websites. This flaw lets them sneak harmful software into systems.
What are Quasar RAT and XMRig Miners?
Quasar RAT is a type of malware that allows hackers to control infected computers remotely. XMRig Miners are tools that secretly use a computer’s power to mine cryptocurrency called Monero for the hacker’s profit.
How can I tell if my computer is infected?
Signs of infection can include slow performance, unexpected pop-up messages, or unknown programs running on your device. If you notice these issues, it’s a good idea to run a security scan.
What should I do if I think I’m affected?
First, disconnect your computer from the internet to stop the attack. Then, run antivirus software to check for malware. If you’re unsure how to proceed, seek help from a professional.
How can I protect myself against these attacks?
To stay safe, keep your software updated, use strong passwords, and install reliable security software. Avoid clicking on suspicious links or downloading unknown files to minimize your risk.