A recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued on January 16 has highlighted an escalating threat posed by threat actors utilizing Androxgh0st malware. This group is actively establishing a botnet, concentrating on cloud credential theft and employing the stolen data to disseminate additional malicious payloads.
Initially identified by Lacework Labs in 2022, the Androxgh0st botnet has exhibited control over more than 40,000 devices nearly a year ago, as per Fortiguard Labs data. Operating as a Python-scripted malware, Androxgh0st primarily targets .env files housing confidential data, including credentials for high-profile applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio within the Laravel web application framework.
The malware systematically scans for vulnerabilities, particularly remote code execution (RCE) flaws such as CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework). These vulnerabilities serve as entry points for Androxgh0st to exploit and gain unauthorized access to systems.
Androxgh0st's modus operandi extends beyond data theft; it includes abusing the Simple Mail Transfer Protocol (SMTP), deploying web shells, and conducting various functions like scanning for exposed credentials. In particular, Stolen Twilio and SendGrid credentials are utilized for spam campaigns where threat actors impersonate breached companies.
Beyond focusing on one specific vulnerability, CISA and the FBI have recommended a series of mitigation measures. These include maintaining up-to-date operating systems, software, and firmware, ensuring default configurations deny all requests unless specifically required, securing Laravel applications, and regularly reviewing and revoking cloud credentials.
For eCommerce businesses, the advisory underscores the significance of addressing all identified vulnerabilities, including CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. The latter, in particular, is highlighted as a vulnerability in the widely used Laravel framework (versions through 5.5.40 and 5.6.x through 5.6.29), emphasizing the need for eCommerce platforms to stay updated, with the latest Laravel version being 10, to fortify against potential exploits.
CISA has promptly added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging federal agencies to fortify their systems against these threats by February 6. Organizations detecting suspicious activities related to Androxgh0st malware are encouraged to share information with the FBI. In the ever-evolving cybersecurity landscape, a comprehensive approach remains crucial to safeguarding online ecosystems.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.