Full Report
The TellYouThePass ransomware gang has been exploiting the recently patched vulnerability (CVE-2024-4577) in PHP to deploy webshells and execute their encryptor payload on target systems. Attacks started on June 8, just after the release of security updates, using publicly ava...
Analysis Summary
# Incident Report: TellYouThePass Ransomware Exploiting PHP RCE
## Executive Summary
The TellYouThePass ransomware gang initiated attacks starting June 8, 2024, by exploiting the critical, recently patched PHP vulnerability (CVE-2024-4577). Attackers gained initial access via this vulnerability to deploy webshells and subsequently executed their custom ransomware payload. The confirmed immediate impact involves file encryption, with ransom demands set at 0.1 BTC (~$6,700) per victim.
## Incident Details
- **Discovery Date:** June 10, 2024 (Date of public report/contextual awareness)
- **Incident Date:** Started June 8, 2024
- **Affected Organization:** Multiple websites (Scope not fully detailed in context)
- **Sector:** Unspecified (Implied Web Services/Hosting)
- **Geography:** Unspecified
## Timeline of Events
### Initial Access
- **Date/Time:** Began June 8, 2024
- **Vector:** Exploitation of unpatched PHP CGI vulnerability (CVE-2024-4577).
- **Details:** Attackers utilized publicly available exploit code targeting the remote code execution (RCE) flaw immediately following vendor patch release.
### Lateral Movement
- *Details not explicitly provided, but implied that webshell deployment precedes the payload execution.*
### Data Exfiltration/Impact
- **Impact:** File encryption on infected machines. Ransom demands of 0.1 BTC (~$6,700) were issued.
### Detection & Response
- **Detection:** Reported publicly on June 10, 2024.
- **Response actions taken:** *Not explicitly detailed, but standard security practice following detection would involve patching CVE-2024-4577 and malware removal.*
## Attack Methodology
- **Initial Access:** Remote Code Execution (RCE) via **CVE-2024-4577** in PHP CGI, using publicly available exploits.
- **Persistence:** Deployment of **webshells**.
- **Privilege Escalation:** *Not explicitly detailed.*
- **Defense Evasion:** Use of `mshta.exe` to execute a malicious HTA file containing VBScript.
- **Credential Access:** *Not explicitly detailed.*
- **Discovery:** *Not explicitly detailed.*
- **Lateral Movement:** *Not explicitly detailed.*
- **Collection:** *Not explicitly detailed.*
- **Exfiltration:** *Not explicitly detailed (Focus appears to be encryption).*
- **Impact:** File encryption using the TellYouThePass ransomware variant. Ransom note deployment ("READ_ME10.html").
## Impact Assessment
- **Financial:** Ransom demanded (0.1 BTC / ~$6,700). Costs associated with remediation and downtime are implied.
- **Data Breach:** File encryption confirmed. *Nature/volume of data encrypted is unspecified.*
- **Operational:** Disruption likely occurred on affected websites due to encryption.
- **Reputational:** Damage associated with ransomware outbreak.
## Indicators of Compromise
- **Network indicators (Defanged):** HTTP request disguised as a CSS resource request to a C2 server.
- **File indicators:** Ransom note file: `READ_ME10.html`.
- **Behavioral indicators:** Execution of **mshta.exe** leading to VBScript execution/decoding of ransomware binary into memory.
## Response Actions
- **Containment measures:** *Not specified in the context, but mandatory would be isolating affected systems and blocking malicious C2 communications.*
- **Eradication steps:** *Not specified, but would involve removing webshells and the ransomware binary.*
- **Recovery actions:** Restoring encrypted files from clean backups and verifying the removal of CVE-2024-4577 exploit vectors.
## Lessons Learned
- **Key takeaways:** Threat actors immediately weaponize newly disclosed, critical N-day vulnerabilities (timing suggests exploitation within 48 hours of patch release). Reliance on timely patching for high-severity RCE flaws is critical.
- **What could have been done better:** Proactive monitoring for TTPs related to RCE exploitation, especially concerning known vulnerable software versions, even before official advisories confirm weaponization.
## Recommendations
- Immediately patch all systems running PHP against **CVE-2024-4577**.
- Implement strict monitoring for anomalous activity involving system binaries like **mshta.exe** executing script content from unusual locations or sources.
- Ensure comprehensive firewall/WAF rules are in place to detect and block exploit payloads targeting known RCE vulnerabilities.
- Verify that established security configurations prohibit the execution of code delivered via means like webshells or unusual VBScript executions.