This botnet was first spotted by Lacework Labs in 2022 and was controlling over 40,000 devices almost one year ago, according to Fortiguard Labs data.
Androxgh0st malware hackers creating large botnet, CISA and FBI warn
On Tuesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the malware, saying multiple ongoing investigations have allowed them to assess the tactics used by the threat actors deploying it.
The malware dates back to December 2022, when researchers at Lacework said they saw it used in campaigns to steal a wide variety of credentials.
The agencies said they have observed Androxgh0st malware establishing a botnet “for victim identification and exploitation in target networks.” The botnet searches for .env files, which are commonly sought by threat actors because they store credentials and tokens.
The credentials are from “high profile applications,” like Amazon Web Services, Microsoft Office 365, SendGrid and Twilio, the agencies said.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” they said.
The malware is used as part of an effort to scan and search for websites with specific vulnerabilities. Hackers behind the campaign “likely use Androxgh0st to download malicious files to the system hosting the website,” the agencies explained.
The malware also searches for websites using the Laravel framework — a tool used for the development of web applications. Once the botnet finds websites using Laravel, hackers try to determine if certain files are exposed and contain credentials.
The advisory notes that Laravel is affected by CVE-2018-15133 — a vulnerability used by the botnet to access usernames, passwords, and other credentials for services like email (via SMTP) and AWS accounts. SMTP is used by mail servers to send, receive, and relay outgoing email between senders and receivers.
CISA added the vulnerability to its catalog of Known Exploited Vulnerabilities on Tuesday. Federal civilian agencies have until February 6 to patch it.
“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the agencies said.
“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity.”
The malware is used for cryptojacking, spamming, or malicious email campaigns and exploits unpatched vulnerabilities in web applications to move laterally and maintain persistence by creating accounts and elevating permissions.
Smith noted that because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, users are advised to inspect and monitor cloud environments regularly for any exposures and have a very aggressive policy for out-of-band patching.
“We also advise that an ounce of prevention is worth a pound of cure,” he said. “The cloud is most definitely not ‘set and forget’; it must be assertively secured and re-secured like any other part of the security estate.”
Several other experts called AndroxGh0st “noisy” because of the trail of evidence it leaves behind and because it is scanning for easily compromised systems.
Qualys’ Ken Dunham noted that Fortinet reports around 40,000 compromised hosts as part of the botnet. Dunham added that the botnet is “growing as it attacks targets around the world that are misconfigured and vulnerable to attack.”
FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
- January 16, 2024
- 12:34 PM
- 0
It scans for websites and servers vulnerable to the following remote code execution (RCE) vulnerabilities: CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).
"Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework)," the two agencies cautioned.
"Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment."
Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
"Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming," according to Lacework.
- Upon successfully identifying and compromising AWS credentials on a vulnerable website, they've also tried creating new users and user policies.
- Furthermore, Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet
- Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
- On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
- Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
- Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
- CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog today based on this evidence of active exploitation.
- The U.S. cybersecurity agency also ordered federal agencies to secure their systems against these attacks by February 6.
The CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities have been added to the catalog in November 2021 and February 2022, respectively.
Majorca city Calvià extorted for $11M in ransomware attack
The Calvià City Council in Majorca announced it was targeted by a ransomware attack on Saturday, which impacted municipal services.
- JANUARY 16, 2024
- 01:45 PM
0
No comments:
Post a Comment