TellYouThePass Ransomware Operators Actively Exploiting PHP Flaw

Published on
October 7, 2024

Researchers have detected active attacks leveraging the TellYouThePass ransomware, exploiting a newly reported PHP vulnerability, tracked as CVE-2024-4577.  

This vulnerability emerged after an authentication bypass was identified in a recent patch designed to fix a 12-year-old code execution flaw, The Hacker News reports.

The PHP development team quickly released a fix in versions 8.3.8, 8.2.20, and 8.1.29, but threat actors moved swiftly to exploit the flaw before many users could update their systems.

The attack campaign uses the mshta.exe binary to execute a malicious HTML application. This application runs a VBScript that decodes into a binary payload, loading the ransomware directly into memory during runtime.  

Upon analysis, researchers identified a .NET variant of TellYouThePass, which communicates with its command-and-control (C&C) server over HTTP, encrypts files on compromised systems, and demands a ransom of 0.1 BTC.

The campaign has already compromised numerous systems and websites. The speed and scale of the exploitation highlight how rapidly attackers can take advantage of unpatched systems.  

Users are urged to apply the patch for CVE-2024-4577 immediately and to bolster their defenses with robust antimalware solutions and web application firewalls (WAFs) to mitigate future attacks.

Takeaway: Ransomware operators are increasingly leveraging automation to exploit unpatched vulnerabilities and system misconfigurations at a much faster pace.  

This shift allows attackers to target a greater number of victims in less time, highlighting the importance of patching and vulnerability management.  

However, organizations face numerous challenges in keeping their systems updated. Applying patches often requires extensive testing in development environments to avoid disrupting critical business operations.  

This complexity is further compounded by the presence of legacy systems and custom-built applications, which may not be compatible with new patches. Ransomware attackers are quick to capitalize on security gaps, using automated tools to scan for and exploit both new and existing vulnerabilities.  

Recent campaigns, such as those involving Cl0p and other ransomware groups, show how efficiently these attackers can identify weaknesses and launch attacks on a massive scale.

The ransomware landscape has evolved significantly over the past few years, with cybercriminals reinvesting their profits into hiring skilled developers and creating bespoke tools.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.