CISA and the FBI warned today that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads.
First spotted by Lacework Labs in 2022, the botnet scans for websites and servers using versions of the PHPUnit unit testing framework, PHP web framework, and Apache web server with remote code execution vulnerabilities.
RCE flaws targeted in these attacks include CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133.
Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
The attackers have been observed creating fake pages on compromised websites, providing them with a backdoor to access databases containing sensitive information and to deploy more malicious tools vital for their operations.
Upon successfully identifying and compromising AWS credentials on a vulnerable website, they've also tried creating new users and user policies.
Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet.
Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the.
Scan the server's file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
Review outgoing GET requests to file hosting sites such as GitHub, pastebin, etc.
Particularly when the request accesses a.php file.
The FBI also asked for information on Androxgh0st malware from organizations that detect suspicious or criminal activity linked to this threat.
CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog today based on this evidence of active exploitation.
The U.S. cybersecurity agency also ordered federal agencies to secure their systems against these attacks by February 6.
The CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities have been added to the catalog in November 2021 and February 2022, respectively.
QNAP VioStor NVR vulnerability actively exploited by malware botnet.
Stealthier version of P2Pinfect malware targets MIPS devices.
MySQL servers targeted by 'Ddostf' DDoS-as-a-Service botnet.
Windows SmartScreen flaw exploited to drop Phemedrone malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Jan 2024 17:35:27 +0000