Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally.

BLOCK MALICIOUS IPS

Attack Overview

According to Cisco Talos, the threat actor exploited PHP-CGI installations on Windows systems to deploy Cobalt Strike beacons and conduct post-exploitation activities using the TaoWu toolkit. Key indicators include:

  • Initial Access: Exploitation via PHP-CGI vulnerability using HTTP POST requests with MD5 hash e10adc3949ba59abbe56e057f20f883e as a success marker.
  • Payloads: PowerShell scripts fetching Cobalt Strike reverse HTTP shellcode (e.g., http://38[.]14[.]255[.]23:8000/payload.ps1).
  • C2 Infrastructure: Servers 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba Cloud, with HTTP User-Agent strings mimicking legacy Internet Explorer versions.

GreyNoise Observations

GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. 

GreyNoise’s Global Observation Grid (GOG) — a worldwide network of honeypots — detected 1,089 unique IPs attempting to exploit CVE-2024-4577 in January 2025 alone. While initial reports focused on attacks in Japan, GreyNoise data confirms that exploitation is far more widespread, with significant activity observed in:

Target Country Observation Period Key Detail
Japan January 2025 Primary focus of Talos report
Singapore/Indonesia January 2025 Secondary surge in attack volume
UK/Spain/India Late January 2025 Anomalous spikes in exploitation

More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China. 

In February, GreyNoise detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets.

Guidance for Defenders

Organizations with internet-facing Windows systems exposing PHP-CGI — especially those in these newly identified targeted regions — should follow the guidance provided by Cisco Talos and perform retro-hunts to identify similar exploitation patterns.

Identify and block malicious IPs actively targeting CVE-2024-4577. 

Read the Cisco Talos report here.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account