CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack

The FBI and the US Cybersecurity and Infrastructure Security Agency have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial compromise.
The end goal of the campaign is to steal credentials to high-profile applications such as Amazon Web Services, Microsoft 365, Twilio, and SendGrid, so the threat actors can access sensitive data in the apps or use the apps for other malicious operations.
In many incidents the adversaries have also used the stolen credentials to create new AWS instances for additional, malicious scanning activity, they noted.
The malware, written in Python, is designed to scan for and extract application secrets such as credentials and API keys from Laravel.
Laravel is an open source PHP Web application framework that many developers use for common Web development tasks without having to write low-level code from scratch.
Env files are a popular adversary target because they often contain credentials and other information that attackers can use to access and abuse high-value apps, such as AWS, Microsoft 365, and Twilo.
Lacework identified the malware as capable of scanning for and exploiting exposed credentials and APIs and of deploying Web shells on compromised systems.
This is not the first big campaign for the malicious code; last March, Fortinet reported observing threat actors using Androxgh0st to target Laravel.
Env files on an average of 40,000 Fortinet devices per day.
Active Scanning for Vulnerable Websites According to the FBI and CISA, Androxgh0st threat actors are also actively scanning for websites with specific vulnerabilities in them, particularly CVE-2017-9841, a critical remote code execution vulnerability in PHPUnit, a module for testing PHP code.
They are exploiting the vulnerability to drop Androxgh0st and other malware on affected websites and make them part of a botnet, used to scan for and gather information on other potential targets.
CVE-2017-9841 is a widely targeted vulnerability from 2017, with vendors like Imperva reporting millions of attacks on affected systems through at least early 2020.
In many instances, the Androxgh0st adversaries have also been observed scanning for Web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 that are vulnerable to CVE-2021-41773, a path traversal vulnerability from 2021 that allows for RCE. CISA has previously warned about CVE-2021-41773 being among the list of vulnerabilities that China-backed threat actors tend to exploit the most in their campaigns.
The FBI and CISA alert described the threat actors as using the botnet to scan for websites using the Laravel Web application and to then determine if the domain's root.
If either method elicits a successful response, the threat actors are able to look for secrets in the.
Env file including usernames and passwords to AWS, email accounts and other enterprise apps.
Prioritize patching known exploited vulnerabilities in Internet-facing systems;.
Review and ensure only necessary servers and services are exposed to the Internet;.
Review platforms or services that have credentials listed in.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 17 Jan 2024 18:15:08 +0000


Cyber News related to CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack