Researchers recently identified a spike in Androxgh0st attacks, a Trojan that targets Windows, Mac and Linux platforms, which saw it jump straight into second place in the top malware list.
Our latest Global Threat Index for April 2024 saw researchers revealed a significant increase in the use of Androxgh0st attacks, with the malware being used as a tool for stealing sensitive information using botnets.
Exploiting vulnerabilities such as CVE-2021-3129 and CVE-2024-1709, attackers deploy web shells for remote control while focusing on building botnets for credential theft.
Roxgh0st actors have demonstrated a preference for exploiting vulnerabilities in Laravel applications to loot credentials for cloud-based services like AWS, SendGrid, and Twilio.
For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server.
Web Servers Malicious URL Directory Traversal - There exists a directory traversal vulnerability On different web servers.
The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns.
Zyxel ZyWALL Command Injection - A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
PHP Easter Egg Information Disclosure - An information disclosure vulnerability has been reported in the PHP pages.
The vulnerability is due to incorrect web server configuration.
A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
OpenSSL TLS DTLS Heartbeat Information Disclosure - OpenSSL TLS DTLS Heartbeat Information Disclosure An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error when handling TLS/DTLS heartbeat packets.
An attacker can leverage this vulnerability to disclose the memory contents of a connected client or server.
D-Link DNS Command Injection - A command injection vulnerability exists in D-Link DNS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
NETGEAR DGN Command Injection - A command injection vulnerability exists in NETGEAR DGN. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Lockbit3 was the most prevalent ransomware group last month, responsible for 9% of the published attacks, followed by Play with 7% and 8Base with 6%. Lockbit3 - LockBit is a ransomware, operating in a RaaS model, first reported in September 2019.
Despite experiencing significant outages in February 2024 due to law enforcement action, LockBit3 has resumed publishing information about its victims.
Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries for tasks such as data exfiltration and credential theft.
This Cyber News was published on blog.checkpoint.com. Publication date: Thu, 09 May 2024 14:43:06 +0000