Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency.
In a joint warning issued on Tuesday, the US government agencies said the Python-scripted malware primarily targets.
Env files that contain user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
After scanning and exploiting these stolen credentials, Androxgh0st can also be used to deploy web shells, remotely execute code, steal sensitive data, and even spin up new AWS users and instances, we're told.
Miscreants deploying Androxgh0st like to use three old CVEs in these credential-stealing attacks: CVE-2017-9841, a command injection vulnerability in PHPUnit; CVE-2018-15133, an insecure deserialization bug in the Laravel web application framework that leads to remote code execution; and CVE-2021-41773, a path traversal vulnerability in Apache HTTP Server that also leads to remote code execution.
CVE-2017-9841 allows remote execution of PHP code through a malicious HTTP POST request and download of files to the system hosting the compromised website.
The malware also scans for websites using the Laravel web application with.
Env files exposed, and then issues either a GET request to the /.env URI or a POST request to the same URI and attempts to steal credentials and tokens.
The government security alert includes a list of Androxgh0st indicators of compromise - which is worth a read. Additionally, the FBI and CISA suggest several mitigations to reduce your risk.
A specific tactic to reduce risk of being infected by Androxgh0st is to ensure Apache servers are not running versions 2.4.49 or 2.4.50, which are vulnerable to CVE-2021-41773.
Also: Verify that the default configuration for all URIs is to deny all requests unless there's a legitimate reason for it to be accessible.
On a one-time basis for previously stored cloud credentials, as well as regularly for other types of credentials that cannot be removed, review any platforms or services that list credentials in.
As ever, keep all OSes, software and firmware up to date.
Always good advice but it's seldom done in the real world.
This Cyber News was published on go.theregister.com. Publication date: Wed, 17 Jan 2024 01:43:04 +0000