Dive Brief:
- CVE-2024-4577, a critical argument-injection vulnerability that affects PHP installations in Windows systems, has come under widespread exploitation in several countries such as the U.S. and United Kingdom, GreyNoise said in a blog post Friday.
- The PHP vulnerability was first disclosed last June and quickly came under attack from a variety of threat actors and malware campaigns including TellYourPass ransomware, according to a Censys report.
- Cisco Talos last week reported recent attacks on CVE-2024-4577 by an unknown threat actor against targets in Japan. However, GreyNoise said the vulnerability has come under mass exploitation in several countries.
Dive Insight:
“GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports,” the threat intelligence firm said in the blog post. “Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.”
Telemetry data from GreyNoise’s global honeypot network show the recent wave of exploitation activity first began in November, with notable spikes in January and February in countries that include Spain, the U.K., India, Taiwan and Malaysia. The company said it observed exploitation attempts from 1,089 unique IP addresses in January alone, and more than 40% of the IP addresses launching attacks in the last 30 days are based in Germany and China.
It’s unclear if the mass exploitation stems from a single source. “In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets,” the company said.
Cisco Talos researchers observed an unknown threat actor exploiting the flaw for initial access against Japanese organizations in several industries, including telecom, technology and education. The attacks began in January and involved the use of plug-ins for a Cobalt Strike kit called “TaoWu,” which is used for post-exploitation activities.
“Talos noticed the attacker’s attempt at stealing the victim’s machine credentials,” Cisco Talos’ Chetan Raghuprasad wrote in the blog post. “However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks.”
