CVE-2017-9841

Vulnerability updated 7 months ago (2024-05-04T23:18:29.028Z)

Download STIX

Preview STIX

CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was actively exploited by Kinsing threat actors, known for their aggressive attacks on cloud infrastructures, who utilized fully automated attacks to mine cryptocurrency. The exploitation of this vulnerability by Kinsing threat actors became more prevalent from 2021 onwards. They leveraged the vulnerability to establish initial access, often opening a reverse shell on port 1337. Once this access was established, they were able to steal cloud service provider secrets, potentially leading to complete system compromise. The exploitation was part of a larger attack pattern that involved the use of another vulnerability, CVE-2023-4911, a buffer overflow vulnerability in the GNU C Library’s dynamic loader, to achieve root privileges on the underlying Linux distribution. To mitigate the risk associated with CVE-2017-9841, security experts recommend swift and decisive measures such as patching, securing credentials, monitoring configurations, and enhancing detection capabilities. These steps are essential in preventing potential breaches that could lead to complete system compromise. Given the active exploitation of this vulnerability, particularly by the Kinsing threat actor, it is crucial for organizations to take these recommendations seriously to protect their cloud infrastructures.

Description last updated: 2024-05-04T22:46:57.710Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Kinsing Malware is associated with CVE-2017-9841. Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal informa	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Androxgh0st Threat Actor is associated with CVE-2017-9841. Androxgh0st, a notable threat actor in the cybersecurity landscape, has been actively targeting systems since January 2024. According to CloudSEK's Threat Research team, Androxgh0st has begun exploiting vulnerabilities in web servers, specifically targeting high-profile technologies like Cisco ASA,	Unspecified	3

Source Document References

Information about the CVE-2017-9841 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	16 days ago	Androxgh0st Botnet Adopts Mozi Payloads, Expands IoT Reach
CERT-EU	10 months ago	FBI Warns Of Androxgh0st Malware
SANS ISC	4 months ago	Who You Gonna Call? AndroxGh0st Busters! [Guest Diary] - SANS Internet Storm Center
InfoSecurity-magazine	7 months ago	Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in December 2023
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in January 2024
CERT-EU	10 months ago	Cyber Security Week in Review: January 19, 2024
CERT-EU	10 months ago	CISA and FBI Reveal Known Androxgh0st Malware IoCs and TTPs
CERT-EU	10 months ago	FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
CERT-EU	10 months ago	Androxgh0st Malware: SafeBreach Coverage for US-CERT Alert (AA24-016A)
DARKReading	10 months ago	CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack
CERT-EU	10 months ago	Hackers Building AndroxGh0st Botnet to Target AWS, O365, Feds Warn
InfoSecurity-magazine	10 months ago	US Government Urges Action to Mitigate Androxgh0st Malware Threat
CERT-EU	10 months ago	Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
CISA	10 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware \| CISA
Securityaffairs	10 months ago	FBI, CISA warn of AndroxGh0st botnet for victim identification and exploitation
CERT-EU	10 months ago	FBI: Beware of cloud-credential thieves building botnets
CERT-EU	10 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware
CERT-EU	10 months ago	FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
CISA	10 months ago	Known Indicators of Compromise Associated with Androxgh0st Malware \| CISA