Organizations attacked via Windows PHP remote code execution flaw
Take action: If you are using PHP on any of your systems and still haven't patched, it's time to act. Hackers are now actively exploiting the CVE-2024-4577 flaw. the version of PHP or start implementing mitigation rules ASAP.
Learn More
Cisco Talos security researchers are reporting a cyber attack campaign predominantly targeting Japanese organizations across multiple sectors including technology, telecommunications, entertainment, education, and e-commerce. The malicious activities, conducted by an unidentified threat actor, have been ongoing since at least January 2025.
The attackers have exploited CVE-2024-4577 (CVSS score 9.8), a remote code execution vulnerability in the PHP-CGI implementation of PHP on Windows systems.
The attack chain begins with the exploitation of vulnerable public-facing applications using a publicly available Python script "PHP-CGI_CVE-2024-4577_RCE.py" that targets this vulnerability. After successful breach, the attackers execute PowerShell commands that download and inject Cobalt Strike reverse HTTP shellcode into the victim's machine memory.
After gaining initial access, the attackers utilize plugins from the publicly available "TaoWu" Cobalt Strike kit to perform various post-exploitation activities:
- Reconnaissance: Gathering system details and user privileges using commands like "whoami /all"
- Privilege Escalation: Executing various "Potato" exploits (JuicyPotato, RottenPotato, SweetPotato) to gain SYSTEM-level access
- Persistence: Modifying registry keys, creating scheduled tasks, and establishing malicious services
- Detection Evasion: Erasing Windows event logs using "wevtutil" commands
- Lateral Movement: Conducting network reconnaissance using tools like "fscan.exe" and "Seatbelt.exe"
- Credential Access: Executing Mimikatz commands to dump passwords and NTLM hashes from memory
The attackers have utilized two command and control (C2) servers with IP addresses 38.14.255.23 and 118.31.18.77, both hosted on Alibaba Cloud.
While Cisco Talos has not attributed these attacks to any specific threat actor, they noted similarities in techniques with a hacker group called "Dark Cloud Shield" or "You Dun" that was active in 2024.
Organizations are advised to update their PHP installations, monitor for suspicious PowerShell activities, and implement network segmentation to prevent lateral movement.
