Hackers are building a dangerous new botnet and, in the process, going after Microsoft and AWS assets, warns a new security advisory released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
According to the advisory, researchers have detected threat actors using the Androxgh0st malware to compromise computers and servers.
They were seen scanning endpoints for three remote code execution vulnerabilities: CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. By exploiting these flaws, attackers would use Androxgh0st to capture .env files containing sensitive data, including (but not limited to) login credentials for AWS and MIcrosoft assets.
Mitigate the threat
Androxgh0st is capable of more than “simply” compromising vulnerable devices and stealing login credentials. It can also abuse Simple Mail Protocol (SMTP) and check the sending limit of email accounts found on breached computers. If the limit is satisfactory, the malware can be used to mount phishing and spam campaigns.
Additionally, hackers can use access to Microsoft and AWS assets to create fake pages on compromised websites, giving them backdoor access to databases with sensitive information.
To stay secure, the FBI and CISA say, organizations should ensure their operating systems, software, and firmware are up-to-date. It was highlighted as critical to ensure that your Apache servers are not running versions 2.4.49 or 2.4.50. Additionally, they should ensure that the default setting for all URIs is to deny all requests unless there is a specific need for it to be accessible. Additionally, Laravel applications should not be in debug or test mode, and cloud credentials should not be present in .env files.
The full list of recommendations can be found here BleepingComputer link.
CVE-2018-15133, described as Laravel deserialization of an untrusted data vulnerability, was added to CISA's catalog of known exploited vulnerabilities (KEV) as actively exploited.
