New Wave of Cyberattacks Targets Japan
A new wave of persistent cyberattacks has targeted organizations across Japan, exploiting a critical vulnerability in PHP on Windows systems. According to a recent article on the Cisco Talos blog, these attacks, discovered in early 2025, have impacted a wide range of sectors, including technology, telecommunications, entertainment, education, and e-commerce.
The attackers gained initial access by exploiting a remote code execution flaw (CVE-2024-4577). Following this, they deployed the Cobalt Strike kit “TaoWu” for post-exploitation activities. These included stealing credentials, establishing a persistent presence within the compromised systems, and escalating their privileges to gain greater control.
Interestingly, the attackers utilized a mix of publicly available tools and frameworks, some of which are not frequently observed in typical attacker toolkits. These included Blue-Lotus, BeEF, and Viper C2. While the methods employed showed some similarities to a hacker group known as “Dark Cloud Shield” or “You Dun,” the Cisco Talos blog emphasizes that a definitive attribution could not be established.
The blog post also highlights the potential for misuse of adversarial tools. The attackers were found to have downloaded and executed a pre-configured installer script from a Chinese Git-based platform. This script facilitated the setup of various offensive security tools, streamlining their attack process.
The Cisco Talos blog provides indicators of compromise (IOCs) within the article to help organizations identify and mitigate these threats. They also recommend using Cisco security solutions to protect against such attacks. The article serves as a crucial reminder of the evolving threat landscape and the importance of maintaining robust cybersecurity defenses.
CVE-2024-4577
Cisco Systems Inc. has provided the following description: CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It arises from the “Best-Fit” behavior in Windows code pages, where certain characters are replaced in command-line inputs. The flaw in the PHP-CGI module misinterprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI setup.
Affected Products
| Vendor | Product | Version |
| Tenable | Security Center | 6.4.5 and earlier |
| Oracle | Communications Unified Assurance | 6.0.0 – 6.0.4 |
| Oracle | SD-WAN Aware | 9.0.1.10.0 |
| Fedora Project | Fedora | 39 |
| Fedora Project | Fedora | 40 |
| Fedora Project | Fedora | 41 |
| FreeBSD | FreeBSD | 13.3 |
| Gentoo | Linux | |
| FreeBSD | FreeBSD | 14 |
| FreeBSD | FreeBSD | 14.1 |
| PHP | Php | 8.2.0 – 8.2.20 |
| PHP | Php | 8.3.0 – 8.3.8 |
Post Comment