Summary: A malicious campaign targeting various sectors in Japan has been attributed to unknown threat actors exploiting the CVE-2024-4577 vulnerability in PHP. The attackers utilize Cobalt Strike plugins for post-exploitation, establishing persistent access and conducting reconnaissance to steal credentials and sensitive data. Their operations utilizing tools hosted on Alibaba cloud servers suggest that their motives may extend beyond credential harvesting, indicating potential future threats.
Affected: Organizations in Japan across technology, telecommunications, entertainment, education, and e-commerce sectors
Keypoints :
- Exploitation of vulnerability CVE-2024-4577 for initial access to systems.
- Utilization of Cobalt Strike’s TaoWu plugins for post-exploitation activities including persistence and privilege escalation.
- Discovery of accessible command-and-control servers revealing various adversarial tools, suggesting a high risk for future attacks.
Source: https://thehackernews.com/2025/03/php-cgi-rce-flaw-exploited-in-attacks.html