norm. Threat Bulletin: 12th June 2024

Threat bulletin header

Don’t Get Hacked: Patch PHP on Windows Servers Now (CVE-2024-4577)

A recently discovered flaw in PHP, identified as CVE-2024-4577, poses a serious threat to Windows servers. This vulnerability allows attackers to potentially take complete control of vulnerable machines.


How Does It Work?

The vulnerability is rooted in how PHP handles certain characters on Windows systems. By crafting a specific sequence of characters, attackers can bypass security measures and inject malicious code into the server. This code can then be executed, granting the attacker remote control. Details of the vulnerability and the technical aspects can be found in the official CVE entry.


Who’s at Risk?

The vulnerability specifically targets Windows servers running PHP in Common Gateway Interface (CGI) mode. This mode is less common than others, but it’s still used by some web server setups, particularly those involving XAMPP. Additionally, servers configured with specific language settings (Traditional Chinese, Simplified Chinese, or Japanese) are at heightened risk. Information on vulnerable configurations can be found in security reports, such as the one by Tenable.


What Can Be Done?

Fortunately, patches have already been released to address this vulnerability. If you manage a Windows server running PHP, here’s what you should do:

  • Update PHP to the latest version: PHP versions 8.3.8, 8.2.20, and 8.1.29 all contain the fix. You can find official download links and release notes on the PHP website.
  • Consider migrating from PHP-CGI: If possible, explore more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM. Resources for migrating away from CGI can be found in the PHP documentation.
  • Stay informed: Keep an eye out for further developments regarding the exploit and potential variations. Security researchers may publish additional information on exploit code, so monitoring security blogs or reputable news sources is recommended.


Don’t Wait: Patch Now!

This vulnerability is critical and should be addressed immediately. By patching your systems and potentially migrating away from CGI, you can significantly reduce your risk of a cyber attack. Remember, cyber criminals are constantly searching for weaknesses to exploit. Taking these steps now will help keep your servers secure.



National Vulnerability Database (NVD): CVE-2024-4577 (
Tenable Security Response Centre: CVE-2024-4577 (
PHP Downloads (
DigitalOcean: How To Install LAMP Stack on Ubuntu (


Muhstik Botnet Leverages Apache RocketMQ Flaw to Enhance DDoS and Crypto Mining Activities

The Muhstik botnet, known for targeting IoT devices and Linux-based servers for cryptocurrency mining and DDoS attacks, has been seen exploiting a recently patched security flaw in Apache RocketMQ to expand its reach. According to a report by cloud security firm Aqua, this botnet, first documented in 2018, has a history of leveraging known web application vulnerabilities to propagate.

The latest vulnerability exploited by Muhstik is CVE-2023-33246, a critical security flaw in Apache RocketMQ with a CVSS score of 9.8. This flaw enables remote, unauthenticated attackers to execute remote code by manipulating the RocketMQ protocol content or using the update configuration function. Once exploited, the attackers gain initial access and execute a shell script from a remote server, which then downloads the Muhstik binary, named “pty3,” likely to masquerade as a pseudo terminal and evade detection.


Attack flow

Figure 1 – Attack flow as provided by Aqua


Persistence on the compromised host is achieved by copying the malware to various directories and modifying the /etc/inittab file as observed in the attack chain in Figure 1, this is done to ensure the process restarts during the server boot. The malware is stored in directories like /dev/shm, /var/tmp, /run/lock, and /run, allowing it to execute from memory and avoid leaving traces on the system.

Muhstik’s capabilities include gathering system metadata, moving laterally to other devices via SSH, and establishing contact with a command-and-control (C2) domain using the IRC protocol. The current most recognised contact domain is[.]eu, however connections to other servers have also been observed for:

  • shadow-mods[.]net
  • findmeatthe[.]top
  • deutschland-zahlung[.]eu


The primary objective is to use the compromised devices for flooding attacks that overwhelm network resources, causing denial-of-service conditions. Additionally, previous campaigns have detected crypto mining activities following Muhstik infections, indicating that attackers aim to mine cryptocurrency using the compromised machines’ resources.

Despite the public disclosure of the vulnerability over a year ago, 5,216 Apache RocketMQ instances remain exposed to the internet, underscoring the need for organisations to update to the latest version to mitigate potential threats. Security researcher Nitzan Yaakov emphasizes the importance of addressing these vulnerabilities to prevent further exploitation.

The disclosure coincides with AhnLab Security Intelligence Center (ASEC) reports of poorly secured MS-SQL servers being targeted by various malware types, including ransomware and remote access trojans. General advisories for administrators are to use strong, regularly updated passwords and apply the latest patches to protect against brute-force and dictionary attacks.

This feels like a lot of different angles to approach, Luckily, you could leave it to the professionals of the industry, here are at norm our Managed Threat Detection and Response package service provides near real-time security monitoring for your network, services and devices. Using telemetry feeds, threat intelligence feeds, use cases and play books, the norm. Security Operations Centre (SOC) identifies and isolates threats in near real-time, giving you peace of mind 24 hours a day, every day.



Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks (
Muhstik Malware Targets Message Queuing Services Applications (
CVE-2023-33246: Apache RocketMQ: RocketMQ may have a remote code execution vulnerability when using the update configuration function-Apache Mail Archives
Muhstik Botnet Exploits Apache RocketMQ Flaw for DDoS Attack (
Apache RocketMQ targeted for more extensive Muhstik botnet attacks | SC Media (



Malicious VSCode Extension Impacts Millions of users

A recent investigation by Israeli researchers has revealed significant security vulnerabilities in the Visual Studio Code (VSCode) marketplace, impacting over 100 organisations. By infecting a copy of the popular ‘Dracula Official’ theme with a trojan, they managed to spread risky code, leading to a deeper look into the marketplace, where thousands of extensions with millions of installs were found to be potentially harmful.

VSCode, a widely used source code editor from Microsoft, boasts an extensive marketplace of extensions that enhance its functionality. However, previous reports have indicated security issues, including extension and publisher impersonation and the presence of extensions that steal developer authentication tokens. These vulnerabilities expose developers to significant risks.

In their experiment, researchers Amit Assaraf, Itay Kruk, and Idan Dardikman created an extension mimicking the popular ‘Dracula Official’ theme, a widely used colour scheme with over 7 million installs. By slightly altering the name to ‘Darcula,’ they managed to publish a seemingly legitimate extension on the VSCode Marketplace, even securing a verified publisher status by registering a matching domain.

This malicious extension included the legitimate code from the Dracula theme but added a script that collected system information, such as the hostname, number of installed extensions, device’s domain name, and operating system platform. This data was then sent to a remote server. The researchers noted that endpoint detection and response (EDR) tools did not flag this malicious code due to the inherent trust in development and testing systems like VSCode.

The extension gained traction quickly, being installed by high-value targets, including a publicly listed company, major security firms, and a national justice court network. While the researchers did not disclose the names of the impacted organisations, they ensured that their experiment was non-malicious by only collecting identifying information and providing disclosures within the extension’s documentation.

Following this experiment, the researchers used a custom tool, ‘ExtensionTotal,’ to scan the VSCode Marketplace for other high-risk extensions. Their findings were alarming:

  • 1,283 extensions contained known malicious code, totalling 229 million installs.
  • 8,161 extensions communicated with hardcoded IP addresses.
  • 1,452 extensions ran unknown executables.
  • 2,304 extensions appeared to be copycats, using another publisher’s GitHub repository.

These findings highlight Microsoft’s lack of stringent controls and code review mechanisms, allowing the platform to be abused. The researchers warned that VSCode extensions represent an exposed attack vector with high risk and significant impact, necessitating urgent attention from the security community.

While all malicious extensions identified were reported to Microsoft for removal, the majority remain available for download. The researchers plan to release their ‘ExtensionTotal’ tool next week to help developers scan their environments for potential threats.

This type of attack is reminiscent of tactics seen in phishing emails, where attackers use lookalike domains and slight variations in names to trick users into believing the source is legitimate. Just as phishing emails often impersonate trusted entities to steal credentials, malicious extensions like ‘Darcula’ exploit trust in widely used tools to infiltrate systems.

At norm., with our Cyber Safety & Phishing module, we provide expert guidance and comprehensive Cybsafe courses to help organisations tackle these security challenges. Our team can assist in identifying and mitigating similar risks and phishing attempts, ensuring your development environment and overall cyber security posture remain robust and secure.

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: