Introduction
In a bold and sophisticated attack, unknown cybercriminals have unleashed a potent new backdoor, dubbed Msupedge, on a Taiwanese university's Windows systems. The hackers likely infiltrated the network by exploiting a recently patched, yet dangerously critical, PHP remote code execution vulnerability, tracked as CVE-2024-4577.
This vulnerability, patched just this past June, exposes PHP installations running in CGI mode on Windows systems to catastrophic breaches. In the wrong hands, it allows unauthenticated attackers to run arbitrary code, putting entire systems at risk of total compromise with just a single strike.
Research
The cunning attackers didn’t stop there—they deployed their malicious payload as two seemingly innocuous dynamic link libraries: weblog.dll and wmiclnt.dll. The former of these insidious files was quietly loaded by the httpd.exe Apache process, silently embedding itself into the university's infrastructure. But what sets Msupedge apart is its covert method of communication: DNS traffic. While DNS-based C&C traffic is not unheard of, it’s rarely seen in the wild, making this attack particularly stealthy and sophisticated.
Msupedge exploits DNS tunneling—a technique based on the open-source dnscat2 tool—to discreetly funnel data within DNS queries and responses. Through this covert channel, the malware receives commands from its C&C server, ready to execute its malicious tasks.
But the real kicker? Msupedge can execute a variety of commands, triggered uniquely—based on the third octet of the IP address of the C&C server. Once activated, it can launch processes, download files, and even manage temporary files, all without raising alarms.
The Exploitation of a Critical Flaw
Symantec's Threat Hunter Team, the vigilant defenders who uncovered this stealthy backdoor, believes the hackers gained their foothold by exploiting the CVE-2024-4577 vulnerability. This flaw is particularly dangerous as it bypasses protections that were put in place for an older vulnerability, CVE-2012-1823—a loophole that cybercriminals had previously exploited to deploy RubyMiner malware on Linux and Windows servers.
"The initial intrusion likely came through the exploitation of the freshly patched PHP vulnerability, CVE-2024-4577," reported Symantec's Threat Hunter Team. Their findings suggest that cybercriminals have been scanning the internet for vulnerable systems, waiting to pounce on unpatched servers.
In a sinister twist, a day after the PHP team rolled out patches for CVE-2024-4577, researchers at WatchTowr Labs released a proof-of-concept (PoC) exploit, demonstrating just how easily the flaw could be weaponized. Shadowserver Foundation quickly followed with reports of real-world exploitation attempts in their honeypots.
And as if on cue, less than 48 hours after the patch was released, the notorious TellYouThePass ransomware gang joined the fray. They wasted no time in exploiting the vulnerability, deploying webshells and encrypting systems at a chilling pace.
This attack serves as a stark reminder of the relentless ingenuity of cyber criminals and the critical importance of patching vulnerabilities before they can be exploited. In the ever-evolving landscape of cybersecurity, staying a step ahead is the only way to avoid becoming the next target.