CyberSecurityBoard
Sponsor Register Login

Imperva Uncovers New IoCs for AndroxGh0st Botnet

On January 16, a joint alert from FBI and CISA warned about a concerning development: the emergence of a botnet driven by AndroxGh0st malware targeting vulnerable applications and web servers.
RoxGh0st is a Python-based malware, first seen in late 2022, designed to target Laravel.
Env files and steal credentials for AWS, Microsoft Office 365, and other applications.
CVE-2021-41773, path traversal in Apache HTTP Server.
CVE-2018-15133, deserialization of untrusted data in Laravel Framework.
In 2024, Imperva Threat Research has seen over 30,000 unique sites targeted in attacks attempting to exploit these vulnerabilities, predominantly in the Financial Services and Business industries.
Since late 2023, Imperva Threat Research has monitored activity from threat actors associated with the AndroxGh0st malware disclosed in CISA's report.
We can attribute this activity to the criminal group based on two key factors: the unique signature of these events aligns with CISA's disclosure, and the identical nature of one of the payloads observed to those mentioned in the report.
CISA-disclosed payload. In addition to the CISA-disclosed payload, Imperva Threat Research discovered an additional payload containing the PHP webshell in a base64 encoded form, presumably to overcome RFI mitigations on the target host.
Additional payload discovered by Imperva Threat Research.
In another notable deviation from CISA's findings, our team also detected exploitation of an unmentioned vulnerability: the Drupal Core vulnerability CVE-2019-6340, which the AndroxGh0st threat actors used to deploy webshells.
We observed the threat actors use of the same proxy IPs deploying the same webshell within a similar time frame, exploiting both the Drupal and PHPUnit vulnerabilities.
Imperva Threat Research observed the group attempting to use a WS02 vulnerability to deploy and interact with JSP webshells.
Most notably we observed the group attempting to interact with these webshells to deploy XMRig cryptominer malware, using one of the documented URLs from CISA's disclosure.
In our ongoing commitment to cybersecurity, we have implemented robust measures to safeguard against a wide array of vulnerabilities identified in the recent FBI security warning and this blog.
We continue to advocate for regular application patching and updates as a best practice in cybersecurity.


This Cyber News was published on www.imperva.com. Publication date: Thu, 01 Feb 2024 17:13:04 +0000


Cyber News related to Imperva Uncovers New IoCs for AndroxGh0st Botnet

Imperva Uncovers New IoCs for AndroxGh0st Botnet - On January 16, a joint alert from FBI and CISA warned about a concerning development: the emergence of a botnet driven by AndroxGh0st malware targeting vulnerable applications and web servers. RoxGh0st is a Python-based malware, first seen in late ...
10 months ago Imperva.com
Hackers Building AndroxGh0st Botnet to Target AWS, O365, Feds Warn - The bad actors behind the Androxgh0st malware are building a botnet they can use to identify victims and exploit vulnerable networks to steal confidential information from such high-profile cloud applications as Amazon Web Services, Microsoft Office ...
10 months ago Securityboulevard.com
Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More - The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware. This malware is capable of collecting cloud ...
10 months ago Techrepublic.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
11 months ago Imperva.com
CISA and FBI Reveal Known Androxgh0st Malware IoCs and TTPs - CISA and FBI released an advisory on Androxgh0st malware IoCs and warned about hackers using this threat to steal credentials. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to ...
10 months ago Heimdalsecurity.com
Accelerating Cloud-Native Data Security Deployments at Scale with Imperva's eDSF Kit - Elastic DSF is the vision of DSF. The first phase of this vision is creating automatic, click of a button processes to deploy and upgrade DSF with the introduction of Imperva eDSF Kit. eDSF Kit simplifies the product deployment, upgrades, and ongoing ...
1 year ago Imperva.com
US Gov Issues Warning for Androxgh0st Malware Attacks - The US cybersecurity agency CISA and the FBI have issued a joint advisory warning about the Androxgh0st malware creating a botnet to identify and target vulnerable networks. Written in Python, the agencies said the malware primarily targets. Env ...
10 months ago Securityweek.com
CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack - The FBI and the US Cybersecurity and Infrastructure Security Agency have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial ...
10 months ago Darkreading.com
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
11 months ago Bleepingcomputer.com
Imperva Detects Undocumented 8220 Gang Activities - Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and ...
11 months ago Imperva.com
Androxgh0st malware hackers creating large botnet, CISA and FBI warn - The hackers behind the Androxgh0st malware are creating a powerful botnet, U.S. cybersecurity agencies warned on Tuesday. On Tuesday, the FBI and Cybersecurity and Infrastructure Security Agency released a joint advisory on the malware, saying ...
10 months ago Therecord.media
Imperva & Thales: Pioneering a New Era in Cybersecurity - Imperva has been a beacon of excellence for over twenty years in the digital protection landscape, where innovation is paramount. Renowned for its groundbreaking products, Imperva has not just secured applications, APIs, and data for the world's ...
11 months ago Imperva.com
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
9 months ago Securityboulevard.com
"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
6 months ago Tripwire.com
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
6 months ago Packetstormsecurity.com
FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials - CISA and the FBI warned today that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads. First spotted by Lacework Labs in 2022, the ...
10 months ago Bleepingcomputer.com
Bigpanzi botnet infects 170,000 Android TV boxes with malware - A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015. Beijing-based Qianxin Xlabs reports that the threat group controls a ...
10 months ago Bleepingcomputer.com
FBI: Beware of cloud-credential thieves building botnets The Register - Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency. In a joint warning issued on Tuesday, the US ...
10 months ago Go.theregister.com
New botnet malware exploits two zero-days to infect NVRs and routers - A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, ...
1 year ago Bleepingcomputer.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
5 months ago Imperva.com
CISA and FBI Release Known IOCs Associated with Androxgh0st Malware - Today, CISA and the Federal Bureau of Investigation released a joint Cybersecurity Advisory, Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise and tactics, techniques, and procedures ...
10 months ago Cisa.gov
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
11 months ago Darkreading.com
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
9 months ago Go.theregister.com
Imperva Protects Customers from CVE-2023-50164 - On December 7, 2023, Apache released a security advisory regarding CVE-2023-50164, a critical vulnerability in Apache Struts with CVSS score 9.8. Versions from 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0 were affected. Apache Struts is a popular, free, ...
11 months ago Imperva.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)