TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign

2025-03-07 · Read original ↗

ATT&CK techniques detected

4 predictions
T1190Exploit Public-Facing Application
91%
"greynoise detects mass exploitation of critical php - cgi vulnerability ( cve - 2024 - 4577 ), signaling broad campaign cisco talos recently uncovered a sophisticated attack campaign targeting japanese organizations through cve - 2024 - 4577, a critical php - cgi remote code exec…"
T1190Exploit Public-Facing Application
78%
"powershell scripts fetching cobalt strike reverse http shellcode ( e. g., http : / / 38 [. ] 14 [. ] 255 [. ] 23 : 8000 / payload. ps1 ). - c2 infrastructure : servers 38 [. ] 14 [. ] 255 [. ] 23 and 118 [. ] 31 [. ] 18 [. ] 77 hosted on alibaba cloud, with http user - agent stri…"
T1071.001Web Protocols
49%
"powershell scripts fetching cobalt strike reverse http shellcode ( e. g., http : / / 38 [. ] 14 [. ] 255 [. ] 23 : 8000 / payload. ps1 ). - c2 infrastructure : servers 38 [. ] 14 [. ] 255 [. ] 23 and 118 [. ] 31 [. ] 18 [. ] 77 hosted on alibaba cloud, with http user - agent stri…"
T1588.006Vulnerabilities
39%
"activity observed in : more than 43 % of ips targeting cve - 2024 - 4577 in the past 30 days are from germany and china. in february, greynoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning f…"

Summary

‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025.