CVE-2017-9841

Vulnerability updated 4 months ago (2024-05-04T23:18:29.028Z)

Download STIX

Preview STIX

CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was actively exploited by Kinsing threat actors, known for their aggressive attacks on cloud infrastructures, who utilized fully automated attacks to mine cryptocurrency. The exploitation of this vulnerability by Kinsing threat actors became more prevalent from 2021 onwards. They leveraged the vulnerability to establish initial access, often opening a reverse shell on port 1337. Once this access was established, they were able to steal cloud service provider secrets, potentially leading to complete system compromise. The exploitation was part of a larger attack pattern that involved the use of another vulnerability, CVE-2023-4911, a buffer overflow vulnerability in the GNU C Library’s dynamic loader, to achieve root privileges on the underlying Linux distribution. To mitigate the risk associated with CVE-2017-9841, security experts recommend swift and decisive measures such as patching, securing credentials, monitoring configurations, and enhancing detection capabilities. These steps are essential in preventing potential breaches that could lead to complete system compromise. Given the active exploitation of this vulnerability, particularly by the Kinsing threat actor, it is crucial for organizations to take these recommendations seriously to protect their cloud infrastructures.

Description last updated: 2024-05-04T22:46:57.710Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Kinsing	Unspecified	2	Kinsing is a malicious software, or malware, that has been recently observed exploiting vulnerabilities in systems. It operates by infiltrating computers or devices, often undetected, through suspicious downloads, emails, or websites. Once inside, Kinsing can wreak havoc by stealing personal informa

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Androxgh0st	Unspecified	3	Androxgh0st is a significant threat actor in the cybersecurity landscape, known for offering malware-as-a-service. This entity is responsible for the creation and distribution of a Python-scripted malware that primarily targets .env files containing confidential information from high-profile applica

Source Document References

Information about the CVE-2017-9841 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	FBI Warns Of Androxgh0st Malware
SANS ISC	2 months ago	Who You Gonna Call? AndroxGh0st Busters! [Guest Diary] - SANS Internet Storm Center
InfoSecurity-magazine	4 months ago	Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
CERT-EU	7 months ago	Sensor Intel Series: Top CVEs in December 2023
CERT-EU	7 months ago	Sensor Intel Series: Top CVEs in January 2024
CERT-EU	8 months ago	Cyber Security Week in Review: January 19, 2024
CERT-EU	8 months ago	CISA and FBI Reveal Known Androxgh0st Malware IoCs and TTPs
CERT-EU	8 months ago	FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
CERT-EU	8 months ago	Androxgh0st Malware: SafeBreach Coverage for US-CERT Alert (AA24-016A)
DARKReading	8 months ago	CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack
CERT-EU	8 months ago	Hackers Building AndroxGh0st Botnet to Target AWS, O365, Feds Warn
InfoSecurity-magazine	8 months ago	US Government Urges Action to Mitigate Androxgh0st Malware Threat
CERT-EU	8 months ago	Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
CISA	8 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware \| CISA
Securityaffairs	8 months ago	FBI, CISA warn of AndroxGh0st botnet for victim identification and exploitation
CERT-EU	8 months ago	FBI: Beware of cloud-credential thieves building botnets
CERT-EU	8 months ago	CISA and FBI Release Known IOCs Associated with Androxgh0st Malware
CERT-EU	8 months ago	FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
CISA	8 months ago	Known Indicators of Compromise Associated with Androxgh0st Malware \| CISA
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in October 2023