A flaw in PHP, a scripting language that powers a mind-boggling proportion of the world’s websites, had erupted in an internet firestorm. The vulnerability carried an amazing 9.8/10 danger rating and was so serious that it didn’t just give adversaries a front-door key. It demanded they be ushered in for tea. It was the same day as the 2020 presidential debate in the US, and, as if orchestrated, international cybercriminals executed a staggering coordinated campaign of ransomware attacks armed with this flaw, ushering in a new era of cyber extortion. The story of this bug is about a lot more than a security flaw in a piece of software. It’s really about the interplay between instinct and technology.
It actually began with an exploit that sounded like fodder for a cyber thriller: a vulnerability in the PHP scripting language that was relatively easy to exploit, allowing hackers to inject code directly into web servers. Security experts had barely had a chance to ring the alarm bells before the digital vandals struck, deploying a strain of ransomware dubbed TellYouThePass. Sites that had been operable one minute were replaced with plain-text ransom notes demanding the payment of a ransom to recover the files behind them. It wasn’t just an attack. It was a message.
Reports spread about compromised servers, especially in China, and early accounts said 1,800 targets had been battered. (As is still the case, the exact number fluctuated as both attackers and defenders jockeyed to gain the upper hand.) Each newly encrypted file, its name amputated with a shudder-inducing extension: .locked. Victims who felt they had little choice were stuck choosing between paying ransom or losing their data forever.
Front and centre was CVE-2024-4577: a critical vulnerability in PHP, a programming language. The way that the bug was born was unremarkable in the extreme — a harmless feature, a mere quirk in the way PHP would convert Unicode into ordinary ASCII text characters. But given an unexpected turn of events — the twist of some … code — a malicious actor could evade security and execute ‘arbitrary commands’. The bug targeted a gap. A fully automated backdoor. In this deep, inarticulate space, a malicious party with knowledge of the craft of argument injection could seize the controls.
It turned out that PHP’s vulnerability was exploitable, in particular, only in CGI mode, which was a way to handle incoming web requests. But the threat wasn’t just lurking there, in dark corners, for example, where one could run PHP executables, in configurations such as XAMPP – their use is rare enough, if such a thing is possible, to justify talking about them. 800 million websites and this in-your-face vulnerability and such a glaring exploit of the vulnerability of the measures that are taken to keep some functionality alive.
Intuition plays an outsize role in the digital arms race. Early this year, a small group of security professionals read the patched exploit and saw its potential for mass exploitation. They knew, from decades on the front lines, what could come next. Within 24 hours of the vulnerability’s disclosure, the attack began. By the end of March, the total known number of systems compromised topped 100,000. Within one month of the patch’s release, the attackers had weaponised it faster than anyone anticipated. The window of cyber-security is so small that those who try to be first might also be last. Shrewd attackers and defenders alike depend on intuition to get a leg up on the other side. When it comes to prediction, the stakes couldn’t be higher. Too often, successful attacks result from failure to predict what comes next.
What stood out was that XAMPP was being used very widely – but XAMPP is known for being poorly suited to use in production systems. Someone – but who? – was doing something that seemed imprudent or that involved a hole in risk perception and judgement. Hackers relied on compromised XAMPP servers to publish malicious content Overall, the experience seems to indicate some priorities that don’t do enough to support the pressing need for robust and usefully powerful software in a safe and reliable context.
Meanwhile, the rising and falling counts of infected sites were reflecting a battle in progress. Yet for all the widespread despair, not a single payment was made to free the ransomed sites – a clear indication that, while painful, victims were opting not to fuel cybercrime by paying up.
At its heart, cybersecurity is about intuition and technology working in tandem. In the midst of a battle against intruders, what turns out to be the key piece of evidence is often subtle and elusive, prompting the security analyst to ask the question ‘what if’. The ‘intuition’ is neither provable nor self-evident, yet it carries weight – sometimes enough to take action and other times enough to find the resources to examine it further. Great things happen when security analysts, armed with their hunches and other evidence, disturb the status quo.
This story of PHP’s dependency and ransomware attackers’ exploitation isn’t just a cautionary tale about software vulnerability; it’s a story of the power of intuition on the Internet. By pairing technological know-how with intuition, the cybersecurity community maintains its position on the frontlines in the fight against unseen danger in the digital underworld.
© 2024 UC Technology Inc . All Rights Reserved.