Known PHP Flaw Actively Exploited for RCE; Fortra: Malicious Use of Cobalt Strike Down 80 Percent

We have seen this exploited at least since last June in our ISC honeypots. Attackers exploiting it now are a bit late to the party, mopping up systems that the simpler automated attacks may have missed.

Johannes Ullrich

This is a doozy because it requires some history. First, the exploit was originally patched in 2012; CVE-2012-1823. Secondly, this was found by Orange Tsai of the Devcore team in 2024. The vulnerability is very 'edge case,' which is why we see the attacks in specific countries. There is a feature of Windows that I knew about in Linux but was unaware of its name, which Windows refers to as 'Best-Fit.' The idea is that UTF characters can be upgraded or downgraded to fit different UTF versions. Because of 'Best-Fit' in Windows, there is a workaround to the 2012 patch by using different language sets, of which Traditional Chinese, Simplified Chinese, and Japanese are known to be vulnerable. If you have systems implemented in these languages, are running Windows as the OS, have a vulnerable version of PHP, and are running PHP-CGI, then you are vulnerable. What is surprising is that in Japan specifically, many systems have been impacted. Who knew?

Moses Frost

At least part of the decline should be attributed to the emergence of different tools that offer an alternative to Cobalt Strike.

Johannes Ullrich

On the surface, this would seem like a win. I will, however, state a few things lost in the article here. First, it doesn't analyze whether the attacker groups have moved to a different C2 infrastructure since the EDRs are tuned to shut down Cobalt Strike. The attacker groups could have moved to an alternative C2, of which there are many now, or their tooling. Second, this is just 'known pirated CS.Ó What about unknown pirated CS? The other interesting thing to note is the three groups involved: Fortra (the makers of Cobalt Strike) Microsoft, and the HS-ISAC. I would suppose it is because of all the ransomware being deployed. What about the other ISACs? A win is always a win; however, I'm not sure what to make of this and how big of a win this is.

Moses Frost

This could be a feel good news story as a community, but won't save you as a target. Preventing/Detecting/responding to the use of Cobalt Strike and other tools like it should be the priority, between endpoint and network telemetry and detections, it's non-trivial but can be done.

Gal Shpantzer

Kudos to everyone involved. The key is obtaining a court order and working with ISPs to take the infrastructure offline. Microsoft's DCU is increasingly acting as a Cyber Health Organization. Keep up the good work!

Curtis Dukes

This type of reporting makes sense. If implemented correctly, upon being alerted of an incident in which critical infrastructure is affected, let someone know. Unlike the SEC form, there is arguably less 'financial risk' and more of a 'people could die risk.' That type of risk seems to be more in line with faster reporting than "we lost another 500,000 identities." Please add to the 2.3 trillion identities we have failed for the 6 billion people who live on this planet. I'm not minimizing the horribleness of either one, but immediate death seems to be prioritized in my head.

Moses Frost

24 hours seems a bit short. Recall the response when India put in a similar restrictive timeframe. 48 or 72 hours allows for more analysis and a more organized report.

Lee Neely

Given that time to detection of breaches (except for extortion attacks) is measured in weeks to months, the urgency should be on detection rather than reporting.

William Hugh Murray

Re the Swiss reporting requirements, they are similar to those under the EU NIS2 (Network Information Security Directive). Under NIS2 regulated entities must notify their regulator within 24 hours of being aware of a significant incident. Note this is a notification and not a full report. An additional report with more details is required with 72 hours. A full report should be given one month after the incident (note this can be extended if required and agreed with the regulator). The regulator can also request updates as required.

Brian Honan

A good news story on how responsible vulnerability disclosure can work. The only missing piece is monitoring for exploitation whilst the patch is being developed, distributed, and implemented by affected organizations.

Curtis Dukes

Snail mail, USB/CD, email, browser, phone (SMS/call) are all vectors through which social engineering can happen. Be skeptical about any gifts, winnings, punishments and deadlines creating urgency and fear of loss.

Gal Shpantzer

This harkens back to chain letters of old. To be honest, as organizations' anti-scam guidance reminds you, they won't call. This plays into leveraging an official-looking printed communication. Beyond educating users to be wary of this old school approach, also investigate ensuring your EDR and perimeter protections include blocking suspect or bogus sites, including mobile users.

Lee Neely

Cyber criminals going old school using postal mail. Seems horribly inefficient and prone to being ignored. What's most disconcerting is the delivery to senior executives' homes as a form of intimidation. Just remember, cyber criminals are only after one thing, the payout.

Curtis Dukes

Do people still read physical mail? I just wanted to get this straight: a ransom note for ransomware is being sent out. Does it have the letters cut out like in the movies?

Moses Frost

Fast or slow, it is the content of the message that counts.

William Hugh Murray

Another week, another healthcare breach. Not hating on that industry; it's going to take a lot of concentrated, well-resourced effort to stem this tide. Until the state of healthcare security improves, we need to assume breach of our data and take appropriate actions to protect our identities/etc.

Lee Neely

While unfortunate, the breaches serve as a reminder for organizations to regularly review their data retention policies. If you don't have a business requirement to maintain social security numbers and driver's license numbers, then don't.

Curtis Dukes

How does a company that technically cannot have a bank account purchase IT equipment and secure systems? Do security vendors take suitcases full of cash? How does all this work?

Moses Frost

Eaton is a big company ($20+B revenue in 2024) and apparently has big problems with managing permissions and testing software for vulnerabilities and errors before pushing out to production. Good to see the perpetrator punished, but if I was an Eaton board member I'd want to see a long list of changes to prevent this from happening again. Something more like Eaton's Zero Incident Safety Program for physical safety.

John Pescatore

Unfortunately this sort of attack continues to be a thing. It can take two forms: the first, a person being removed from the company and access not immediately revoked; the second, the person still employed becoming embittered and lashing out. The first is solvable via process; the second requires focusing on the signs of mental health and is far harder to prevent. This is even more difficult as leaders are increasingly managing a remote workforce.

Curtis Dukes

Happy, well-adjusted employees do not come in and take the place apart. Disaffection grows over time. When the damage comes to light, few are surprised by who did it. Note the signs and take timely action.

William Hugh Murray

Seems like the State of Texas has borne the brunt of cyber-attacks, mostly ransomware, over the last 18 months. It's probably time for the State to establish a minimum cybersecurity baseline and have all Texas municipalities be measured against it. While I know that municipalities want to keep their independence, they simply don't have the resources available to protect themselves. I would look to Implementation Group 1 of the CIS Critical Security Controls for that minimum baseline.

Curtis Dukes