Tech News and Updates

Looming danger: Androxgh0st botnet exploits RCE vulnerabilities worldwide

Looming danger: Androxgh0st botnet exploits RCE vulnerabilities worldwide - Zest Logic

A recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued on January 16 has highlighted an escalating threat posed by threat actors utilizing Androxgh0st malware. This group is actively establishing a botnet, concentrating on cloud credential theft and employing the stolen data to disseminate additional malicious payloads.

Initially identified by Lacework Labs in 2022, the Androxgh0st botnet has exhibited control over more than 40,000 devices nearly a year ago, as per Fortiguard Labs data. Operating as a Python-scripted malware, Androxgh0st primarily targets .env files housing confidential data, including credentials for high-profile applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio within the Laravel web application framework.

The malware systematically scans for vulnerabilities, particularly remote code execution (RCE) flaws such as CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework). These vulnerabilities serve as entry points for Androxgh0st to exploit and gain unauthorized access to systems.

Androxgh0st's modus operandi extends beyond data theft; it includes abusing the Simple Mail Transfer Protocol (SMTP), deploying web shells, and conducting various functions like scanning for exposed credentials. In particular, Stolen Twilio and SendGrid credentials are utilized for spam campaigns where threat actors impersonate breached companies.

Beyond focusing on one specific vulnerability, CISA and the FBI have recommended a series of mitigation measures. These include maintaining up-to-date operating systems, software, and firmware, ensuring default configurations deny all requests unless specifically required, securing Laravel applications, and regularly reviewing and revoking cloud credentials.

For eCommerce businesses, the advisory underscores the significance of addressing all identified vulnerabilities, including CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. The latter, in particular, is highlighted as a vulnerability in the widely used Laravel framework (versions through 5.5.40 and 5.6.x through 5.6.29), emphasizing the need for eCommerce platforms to stay updated, with the latest Laravel version being 10, to fortify against potential exploits.

CISA has promptly added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging federal agencies to fortify their systems against these threats by February 6. Organizations detecting suspicious activities related to Androxgh0st malware are encouraged to share information with the FBI. In the ever-evolving cybersecurity landscape, a comprehensive approach remains crucial to safeguarding online ecosystems.

In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.

Reading next

The cost of cybersecurity: Dell's deep dive into 2023's global trends - Zest Logic
Sustainable, digital, and inclusive: Ecommerce Europe's Manifesto defines the next chapter for European сommerce - Zest Logic

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.