Cybersecurity experts have uncovered a sophisticated attack on a Taiwanese university, where threat actors deployed a previously unknown backdoor named Msupedge. The attackers exploited a recently patched remote code execution (RCE) vulnerability in PHP, identified as CVE-2024-4577, to compromise Windows systems within the educational institution.
Understanding the PHP Vulnerability
The CVE-2024-4577 vulnerability, disclosed in early June 2024, affects PHP-CGI and carries a critical CVSS score of 9.8. This flaw enables remote attackers to execute malicious commands on Windows systems. The risk is heightened for certain localizations, including traditional Chinese, simplified Chinese, and Japanese, which are more susceptible to this bug.
Msupedge Backdoor: A Closer Look
According to the Symantec Threat Hunter Team, the Msupedge backdoor was distributed using two libraries: weblog.dll and wmiclnt.dll. The first library was loaded by the Apache httpd.exe process, while the parent process for the second DLL remains unidentified.
Unique DNS Tunneling Technique
What sets Msupedge apart is its use of DNS traffic for command and control (C2) communication. This DNS tunneling feature, implemented using the open-source tool dnscat2, allows attackers to encapsulate data within DNS requests and responses. This technique enables them to receive commands from the C2 server while potentially evading detection.
The backdoor executes various commands based on the third octet of the resolved IP address of the C2 server. While some hacking groups have employed similar methods in the past, their occurrence in real-world attacks remains relatively rare.
Capabilities and Potential Impact
Cybersecurity experts warn that Msupedge provides attackers with a range of capabilities, including:
- Process creation
- File downloads
- Temporary file management
These functionalities allow threat actors to maintain persistence, exfiltrate data, and potentially expand their foothold within compromised networks.
Broader Exploitation of CVE-2024-4577
The Msupedge backdoor is not the only threat leveraging the CVE-2024-4577 vulnerability. In July 2024, Akamai researchers reported multiple threat actors exploiting this flaw to distribute remote access trojans, cryptocurrency miners, and launch DDoS attacks.
Additionally, Imperva analysts observed the TellYouThePass ransomware group utilizing the vulnerability to propagate a .NET variant of their encryption malware.
This widespread exploitation underscores the critical importance of promptly applying security patches and maintaining robust cybersecurity measures. Organizations, particularly those in the education sector, should prioritize updating their PHP installations and implementing comprehensive network monitoring to detect and mitigate such sophisticated threats. As the cybersecurity landscape continues to evolve, staying vigilant and proactive in defense strategies remains paramount.