New PHP flaw exposes Windows servers to RCE attacks

Last week, significant cybersecurity threats emerged across various domains, highlighting critical vulnerabilities and exploitations. Key highlights include the discovery of trojanized Visual Studio Code (VSCode) extensions infecting millions of users, a novel PHP vulnerability facilitating remote code execution on Windows servers, potential exploitation of Azure Service Tags to bypass firewall protections, the release of a proof-of-concept exploit for a Veeam Backup Enterprise Manager authentication flaw, and the exploitation of a Windows privilege escalation vulnerability by ransomware actors. These incidents underscore the ongoing need for vigilant patching, secure configuration practices, and robust endpoint protection strategies.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Millions of installs of trojanized VSCode extensions discovered

Israeli researchers have exposed critical security vulnerabilities in the Visual Studio Code (VSCode) Marketplace by trojanizing the popular ‘Dracula Official’ theme, infecting over 100 organizations. They created a fake extension named ‘Darcula,’ which included a malicious script that collected system information and sent it to a remote server. Traditional endpoint detection tools failed to identify this malicious activity due to VSCode’s extensive file and command execution capabilities.

The experiment, which did not collect sensitive data beyond identifying information, highlighted significant security gaps in Microsoft’s marketplace, despite previous warnings. The researchers also discovered thousands of risky extensions exhibiting malicious behavior, emphasizing the need for regular updates, thorough reviews, and secure extension management practices.

2. Novel PHP vulnerability exposes Windows servers to RCE attacks

A critical security flaw, CVE-2024-4577, in PHP allows remote code execution via CGI argument injection on Windows systems, affecting all PHP versions. This vulnerability, bypassing protections for CVE-2012-1823 due to Windows’ “Best-Fit” encoding conversion, enables unauthenticated attackers to execute arbitrary code using specific character sequences. XAMPP installations on Windows, particularly those configured with Traditional Chinese, Simplified Chinese, or Japanese locales, are especially vulnerable.

The Shadowserver Foundation reported detection of exploitation attempts against its honeypot servers within a day of the flaw’s disclosure. Immediate patching to PHP versions 8.3.8, 8.2.20, and 8.1.29 is recommended, along with transitioning to more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM.

3. Microsoft alerts to potential hacker exploitation of Azure Service Tags vulnerability

Microsoft has warned that Azure Service Tags can be exploited by malicious actors to bypass firewall rules and gain unauthorized access to cloud resources. Service Tags, which simplify network isolation by grouping specific Azure service IP ranges for security rule management, have been identified as vulnerable. Attackers can forge requests from a trusted service, allowing them to bypass firewall rules and access resources in other tenants.

This issue affects at least 10 Azure services, including Azure DevOps and Azure Machine Learning. To mitigate risks, Azure customers should analyze their network rules, add authentication and authorization layers to affected services, and remember that Service Tags alone are insufficient for securing traffic, necessitating strong network authentication.

4. PoC exploit released for VBEM auth bypass flaw

A proof-of-concept (PoC) exploit for the Veeam Backup Enterprise Manager (VBEM) authentication bypass flaw, CVE-2024-29849, is now publicly available. This critical vulnerability affects all versions of VBEM prior to 12.1.2.172 and allows remote unauthenticated attackers to log into VBEM’s web interface as any user.

The flaw resides in the ‘Veeam.Backup.Enterprise.RestAPIService.exe’ service on TCP port 9398, allowing attackers to exploit a VMware SSO token to gain administrator access. Administrators are urged to update to VBEM version 12.1.2.172, limit web interface access to trusted IPs, implement firewall rules to block unauthorized access, and enable multi-factor authentication for all VBEM accounts.

5. Windows privilege escalation vulnerability exploited by ransomware attackers

Threat actors linked to the Black Basta ransomware have potentially exploited the CVE-2024-26169 privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day vulnerability, allowing SYSTEM privileges. This flaw, patched by Microsoft in March 2024, has a CVSS score of 7.8. The financially motivated group often uses Black Basta ransomware to monetize access gained through initial breaches.

The exploit tool, observed in recent attacks, takes advantage of a null security descriptor for registry keys, allowing attackers to set a custom executable pathname and launch a shell with administrative privileges. It was compiled before the patch, indicating possible zero-day exploitation. To mitigate risks, apply the March 2024 update, segment networks, monitor system logs for unusual activity, enforce least privilege principles, and deploy advanced endpoint detection and response solutions.