The Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI) have issued a warning concerning a pernicious botnet named Androxgh0st. The malware is reported to specifically target the theft of credentials from cloud services such as Amazon Web Services (AWS) and Microsoft, also facilitating the delivery of additional malicious payloads. Lacework Labs initially identified the malware activity in 2022, and since then, it has been a growing concern in the cybersecurity community.
The botnet operated by Androxgh0st exploits websites and servers that are using outdated versions of PHPUnit, PHP web framework, and Apache web server. Attackers exploit known remote code execution (RCE) vulnerabilities such as CVE-2017-9841 linked to PHPUnit, CVE-2021-41773 in Apache HTTP Server, and CVE-2018-15133 found within the Laravel framework.
How Androxgh0st Operates
Androxgh0st, written in Python, carries out its attacks by hunting for .env files—which frequently store sensitive configuration information, including highly sensitive credentials for cloud-based services like AWS, Microsoft Office 365, SendGrid, and Twilio within the Laravel web application framework. After hijacking these details, attackers can deploy web shells, which allow them to assert backdoor access to databases and use these credentials for spamming campaigns or additional malicious activities.
The malware also exhibits an intricate arsenal of tools, capable of exploiting Simple Mail Transfer Protocol (SMTP) services, enabling the attackers to scan for exposed credentials and APIs. Critics note that compromised Twilio and SendGrid credentials could be particularly harmful, as they enable threat actors to conduct spam campaigns under the guise of these reputable companies.
Recommended Mitigation Measures
In response to the escalating threat, the FBI and CISA advise a number of countermeasures. Among these are the maintenance of current operating systems, software, and firmware, notably making sure Apache servers are not running compromised versions such as 2.4.49 or 2.4.50. Agencies also underscore the necessity of a strong default configuration wherein all URIs deny requests by default, alongside ensuring Laravel applications are not left vulnerable in a debug or test mode.
Additionally, it is vital that cloud credentials should never be stored in .env files, and if they have been, they should immediately be revoked. Agencies encourage a thorough scanning for unrecognized PHP files, especially within the root directory or specific folders such as /vendor/phpunit/phpunit/src/Util/PHP, and scrutinize any outgoing GET requests to file-sharing sites, which may be indicators of a compromise.
CISA has also updated its Known Exploited Vulnerabilities Catalog to include the CVE-2018-15133 vulnerability after confirming that it was being actively exploited by cybercriminals. Federal agencies have been given directives to fortify their systems against these attacks by a stipulated deadline, underscoring the importance of this cyber threat. With ongoing vigilance and adherence to recommended practices, network defenders can fortify their cyber defenses against the emerging challenge presented by Androxgh0st malware.
