The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware.
This malware is capable of collecting cloud credentials, such as those from AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.
The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company.
The malware is written in Python and is primarily used to steal Laravel.
Env files, which contain secrets such as credentials for high-profile applications.
Organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, with all of the applications' secrets being stored in the.
The botnet hunts for websites using the Laravel web application framework before determining if the domain's root level.
Env file might be usernames, passwords, tokens or other credentials.
The cybersecurity company Fortinet exposed telemetry on Androxgh0st, which shows more than 40,000 devices infected by the botnet.
Androxgh0st can access the Laravel application key; if that key is exposed and accessible, the attackers will try to use it to encrypt PHP code that is passed to the website as a value for the XSRF-TOKEN variable.
A successful attempt allows the attacker to remotely upload files to the website.
CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog based on this evidence of active exploitation.
The threat actor deploying Androxgh0st has also been observed exploiting CVE-2017-9841, a vulnerability in the PHP Testing Framework PHPUnit that allows an attacker to execute remote code on the website.
The malware has multiple features to enable SMTP abuse, including scanning for Amazon's Simple Email Service sending quotas, probably for future spamming usage.
How to protect from this Androxgh0st malware threat.
Ensure Laravel applications are not configured to run in debug or testing mode because it might allow attackers to exploit weaknesses more easily.
Search for unknown or unrecognized PHP files, in particular in the root folder of the web server and in the /vendor/phpunit/phpunit/src/Util/PHP folder if PHPUnit is being used by the web server.
Review outgoing GET requests to file hosting platforms, particularly when the request accesses a.php file.
It is advised to check for any newly created user for any of the affected services, because Androxgh0st has been observed creating new AWS instances used for additional scanning activities.
When possible, your IT department should deploy multifactor authentication on all services where possible to avoid being compromised by an attacker in possession of valid credentials.
This Cyber News was published on www.techrepublic.com. Publication date: Thu, 18 Jan 2024 19:13:05 +0000