Campaigns
Cyberstorm Unleashed: The Exploitation of PHP Vulnerability to Deploy ShellBot

Cyberstorm Unleashed: The Exploitation of PHP Vulnerability to Deploy ShellBot

PHP VulnerabilityShell Bot MalwareDDOS Botnet
CVE-2024-4577 (CVSS score: 9.8) is a critical vulnerability that allows remote execution of malicious commands on Windows systems, particularly those using Chinese and Japanese language locales. Publicly disclosed in early June 2024, this flaw enables attackers to escape the command line and pass arguments directly to PHP. According to Akamai researchers, the issue lies in converting Unicode characters to ASCII, affecting PHP installations running in CGI mode.

Indicators of Compromise

hello.world
download.c3pool.org

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1003 - OS Credential Dumping

For OS Credential Dumping, manage the access control list for "Replicating Directory Changes" and associated permissions. Add users to the "Protected Users" group in Active Directory to limit plaintext credential caching. Enable Attack Surface Reduction (ASR) rules on Windows 10 to secure LSASS and prevent credential theft. Implement Credential Guard in Windows 10 to protect LSA secrets, though it requires specific hardware and firmware. Secure Domain Controller backups and consider disabling NTLM and WDigest authentication. Use complex, unique passwords for local admin accounts across the network. Unless strictly controlled, avoid placing user or admin domain accounts in local admin groups. Enable Protected Process Light for LSA on Windows 8.1 and Server 2012 R2. Train users to avoid credential overlap across accounts.

T1027 - Obfuscated Files or Information

Deploy anti-virus software to detect and quarantine suspicious files, and utilize AMSI on Windows 10+ for command analysis. Regularly audit fileless storage locations like the Registry and WMI repository for abnormal data. Enable ASR rules on Windows 10+ to prevent obfuscated payload execution. Restrict access to software deployment systems and limit ingress points to necessary personnel.

T1056 - Input Capture & T1057 - Process Discovery

These techniques rely on system features and cannot be easily mitigated with preventive controls. To detect and respond to these threats, focus on continuous monitoring and a robust incident response strategy.

T1071 - Application Layer Protocol

Use network appliances to filter ingress and egress traffic, performing protocol-based filtering. Configure endpoint software to filter network traffic. Implement network intrusion detection and prevention systems with network signatures to identify malware traffic.

T1082 - System Information Discovery

Like Input Capture and Process Discovery, preventive controls cannot easily mitigate this technique. Employ continuous monitoring and a strong incident response strategy.

T1091 - Replication Through Removable Media

Enable ASR rules on Windows 10 to block unsigned or untrusted executable files from USB drives. Disable Autorun if unnecessary, and restrict removable media use at the organizational policy level. Limit the use of USB devices within the network.

T1112 - Modify Registry

Set proper permissions for Registry hives to prevent unauthorized key modifications that could lead to privilege escalation.

T1120 - Peripheral Device Discovery & T1547 - Boot or Logon Autostart Execution

These techniques cannot be easily mitigated with preventive controls. Implement continuous monitoring and an effective incident response strategy.

T1571 - Non-Standard Port

Use network intrusion detection and prevention systems with network signatures to identify malware traffic. Configure firewalls and proxies to limit outgoing traffic to necessary ports for the network segment.

By implementing these targeted remediations, organizations can enhance their security posture and protect against various cyber attack techniques.


Observed Countries6

CN (895)
DK (213)
JP (909)
RU (447)
TH (744)
US (867)