Full Report
Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
Analysis Summary
# Incident Report: Persistent Exploitation of CVE-2024-4577 Targeting Japanese Organizations
## Executive Summary
Cisco Talos discovered a persistent threat actor exploiting the critical PHP-CGI RCE vulnerability (CVE-2024-4577) to compromise organizations predominantly in Japan since January 2025. The attackers leveraged the exploit chain to establish remote access via Cobalt Strike, achieve SYSTEM-level privileges, and deploy post-exploitation tools, including credential harvesting tools like Mimikatz. Response actions involved identifying associated Command and Control (C2) infrastructure and generating specific detection signatures.
## Incident Details
- Discovery Date: Thursday, March 6, 2025 (Date of Talos discovery/publication)
- Incident Date: Beginning as early as January 2025
- Affected Organization: Multiple organizations across various verticals in Japan (Technology, Telecommunications, Entertainment, Education, E-commerce)
- Sector: Various (Mixed)
- Geography: Japan
## Timeline of Events
### Initial Access
- Date/Time: Starting January 2025
- Vector: Remote Code Execution (RCE) via CVE-2024-4577 (PHP-CGI flaw on Windows)
- Details: Attacker used a public Python exploit script (`PHP-CGI_CVE-2024-4577_RCE.py`) to send a crafted POST request. Successful exploitation allowed execution of an embedded PowerShell command.
### Lateral Movement
- Details: PowerShell executed a script to download a Cobalt Strike shellcode injector from a C2 server which ran in memory. Reconnaissance tools like `fscan.exe` and `Seatbelt.exe` were used for network mapping. The attacker also attempted to abuse Group Policy Objects using `SharpGPOAbuse.exe` to execute scripts across the network.
### Data Exfiltration/Impact
- Details: The actor executed Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory. While credential theft was confirmed, the overall motive is assessed to likely include greater compromise based on persistence and privilege escalation activities.
### Detection & Response
- Details: Detected by Cisco Talos through monitoring C2 server artifacts and analysis of the intrusion chain. Response involved generating specific Snort rule sets for detection signatures.
## Attack Methodology
- Initial Access: Exploitation of **CVE-2024-4577** (RCE in PHP-CGI on Windows) via a Python script, leading to embedded PowerShell execution.
- Persistence: Established via modifying registry keys, adding scheduled tasks, and creating malicious services, utilizing plugins from the **Cobalt Strike "TaoWu"** kit.
- Privilege Escalation: Successful escalation to **SYSTEM-level access** using exploit programs such as **JuicyPotato, RottenPotato, and SweetPotato**.
- Defense Evasion: Erasing event logs using `wevtutil` commands (security, system, application logs).
- Credential Access: Execution of **Mimikatz** commands to dump credentials and NTLM hashes from memory.
- Discovery: Gathering system details, running enumeration tools like **Seatbelt.exe**.
- Lateral Movement: Used network scanning tool **`fscan.exe`** and attempted **Group Policy Object abuse (`SharpGPOAbuse.exe`)**.
- Collection: Gathering credentials and system information.
- Exfiltration: Stolen passwords/hashes were prepared for exfiltration (implied through Mimikatz execution).
- Impact: Compromise of credentials, potential for deeper network traversal and data theft.
## Impact Assessment
- Financial: Not specified, but likely involved significant remediation and investigation costs due to RCE and credential theft.
- Data Breach: Passwords and NTLM hashes were targeted for theft.
- Operational: Potential operational disruption due to the establishment of persistent C2 channels and privilege escalation activities.
- Reputational: Not explicitly stated, but impact on technology, telecom, and e-commerce sectors carries reputation risk.
## Indicators of Compromise
- Network Indicators (Defanged C2):
- IP Address: 38[.]14[.]255[.]23
- Ports: 8077 (HTTP)
- Paths: /6Qeq, /jANd
- File Indicators: Cobalt Strike shellcode (injected into memory), TaoWu plugins.
- Behavioral Indicators: Use of JuicyPotato/RottenPotato, execution of `wevtutil` for log clearing, use of `SharpGPOAbuse.exe`.
## Response Actions
- Containment: Not explicitly detailed, but implied containment involved identification of the C2 infrastructure.
- Eradication: Not explicitly detailed, but necessitated removal of persistence mechanisms (registry changes, scheduled tasks, services) and cleaning of injected shellcode.
- Recovery Actions: Rebuilding/re-imaging affected systems after ensuring all malicious components and persistence mechanisms were removed.
## Lessons Learned
- Publicly available vulnerabilities (like CVE-2024-4577) are rapidly weaponized by threat actors for initial access.
- Attackers are leveraging legitimate tooling (Cobalt Strike) alongside popular open-source exploits (Potato suite) for advanced post-exploitation.
- Misuse of cloud infrastructure (Alibaba cloud container Registry) for hosting adversarial tools complicates identification.
- Log clearing remains a critical defense evasion technique that requires proactive monitoring of security tools.
## Recommendations
- **Patch Management:** Immediately patch all Windows servers running vulnerable PHP-CGI configurations against CVE-2024-4577.
- **MFA Enforcement:** Implement Multi-Factor Authentication (MFA) to mitigate the risk of stolen credentials (NTLM hashes).
- **Least Privilege Principle:** Review and restrict privileges, especially limiting service accounts and enforcing tighter controls to hinder privilege escalation techniques like Potato exploits.
- **Network Monitoring:** Deploy strong endpoint detection and response (EDR) capable of detecting in-memory PowerShell injection and suspicious process relationships that bypass traditional file-based detection.
- **GPO Hardening:** Audit and restrict the ability of standard service accounts to modify Group Policy Objects.