CVE-2017-9841

Vulnerability Profile Updated 3 months ago

Download STIX

Preview STIX

CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was actively exploited by Kinsing threat actors, known for their aggressive attacks on cloud infrastructures, who utilized fully automated attacks to mine cryptocurrency. The exploitation of this vulnerability by Kinsing threat actors became more prevalent from 2021 onwards. They leveraged the vulnerability to establish initial access, often opening a reverse shell on port 1337. Once this access was established, they were able to steal cloud service provider secrets, potentially leading to complete system compromise. The exploitation was part of a larger attack pattern that involved the use of another vulnerability, CVE-2023-4911, a buffer overflow vulnerability in the GNU C Library’s dynamic loader, to achieve root privileges on the underlying Linux distribution. To mitigate the risk associated with CVE-2017-9841, security experts recommend swift and decisive measures such as patching, securing credentials, monitoring configurations, and enhancing detection capabilities. These steps are essential in preventing potential breaches that could lead to complete system compromise. Given the active exploitation of this vulnerability, particularly by the Kinsing threat actor, it is crucial for organizations to take these recommendations seriously to protect their cloud infrastructures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Remote Code ...

Loader

Linux

CISA

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Kinsing	Unspecified	2	Kinsing is a type of malware, short for malicious software, that is designed to exploit and damage computer systems or devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt o

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Androxgh0st	Unspecified	3	AndroxGh0st is a threat actor or hacking group that has been identified as a significant cybersecurity concern. The group utilizes a botnet for victim identification and exploitation, with alerts raised by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Ag

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-4911	Unspecified	1	CVE-2023-4911, also known as the "Looney Tunables" vulnerability, is a significant software flaw found in the GNU C Library (glibc), specifically within its dynamic loader ld.so. This buffer overflow issue occurs when processing the GLIBC_TUNABLES environment variable, enabling threat actors to exec

Source Document References

Information about the CVE-2017-9841 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
SANS ISC	10 days ago	Who You Gonna Call? AndroxGh0st Busters! [Guest Diary] - SANS Internet Storm Center
InfoSecurity-magazine	3 months ago	Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
CERT-EU	5 months ago	Sensor Intel Series: Top CVEs in December 2023
CERT-EU	5 months ago	Sensor Intel Series: Top CVEs in January 2024
CERT-EU	6 months ago	Cyber Security Week in Review: January 19, 2024
CERT-EU	6 months ago	CISA and FBI Reveal Known Androxgh0st Malware IoCs and TTPs
CERT-EU	6 months ago	FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
CERT-EU	6 months ago	Androxgh0st Malware: SafeBreach Coverage for US-CERT Alert (AA24-016A)
DARKReading	6 months ago	CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack
CERT-EU	6 months ago	Hackers Building AndroxGh0st Botnet to Target AWS, O365, Feds Warn
InfoSecurity-magazine	6 months ago	US Government Urges Action to Mitigate Androxgh0st Malware Threat
CERT-EU	6 months ago	Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
CISA	6 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware \| CISA
Securityaffairs	6 months ago	FBI, CISA warn of AndroxGh0st botnet for victim identification and exploitation
CERT-EU	6 months ago	FBI: Beware of cloud-credential thieves building botnets
CERT-EU	6 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware
CERT-EU	6 months ago	FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
CISA	6 months ago	Known Indicators of Compromise Associated with Androxgh0st Malware \| CISA
CERT-EU	8 months ago	Sensor Intel Series: Top CVEs in October 2023
Securityaffairs	8 months ago	CISA adds Looney Tunables Linux bug to its Known Exploited Vulnerabilities catalog