The bad actors behind the Androxgh0st malware are building a botnet they can use to identify victims and exploit vulnerable networks to steal confidential information from such high-profile cloud applications as Amazon Web Services, Microsoft Office 365, SendGrid, and Twilio, according to two government agencies.
The FBI and Cybersecurity and Infrastructure Security Agency issued a warning this week about the botnet threat from Androxgh0st, which searches for.
They added that by reviewing various ongoing investigations and third-party reporting, they were able to determine the indications of compromise and techniques, tactics, and procedures associated with the Python-based malware and clued the agencies into how Androxgh0st is establishing a botnet to further identify and compromise vulnerable networks.
'In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor code on fallible websites via PHPUnit.
PHPUnit is a testing framework for the PHP programming language.
Env files contain the sensitive configuration data, including credentials and tokens, according to Callie Guenther, senior manager of cyberthreat research at Critical Start.
The malware also is known to exploit other vulnerabilities, including CVE-2018-15133 in Laravel applications and CVE-2021-41773 in Apache HTTP Server versions.
CISA added the Laravel application flaw to its list of known exploited vulnerabilities.
John Smith, CEO at the IT services and consulting firm Conversant Group, said AndroxGh0st is further proof of the cyberthreats facing cloud environments and the importance of understanding that the cloud is not inherently safe.
It primarily targets cloud environments, looking for exposed.
In its most recent look at AndroxGh0st, Fortinet's FortiGuard Labs group found that this week there are more than 40,000 hosts compromised by the malware, a drop down from a high of about 50,000 in the first week of the year.
Env file is exposed and contains credentials for accessing additional services.
Env file is exposed, the bad actors will try to access the data.
Hackers running Androxgh0st also scan vulnerable web servers that run some versions of Apache HTTP Server to wrest confidential information and establish persistence.
When threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies.
The bad actors also have been see creating new AWS instances to run additional scanning activities, they wrote.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 17 Jan 2024 18:13:03 +0000