Hackers are building a dangerous new botnet, going after Microsoft and AWS assets new safety advice released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) has warned.
According to the advisory, researchers have spotted threat actors using the Androxgh0st malware to compromise computers and servers.
They were seen scanning endpoints for three remote code execution vulnerabilities: CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. Taking advantage of these flaws, the attackers would use Androxgh0st to obtain .env files containing sensitive data, including (among others) credentials for AWS and Microsoft resources.
Mitigating the threat
Androxgh0st is capable of more than ‘just’ compromising vulnerable devices and stealing login credentials. It can also exploit the Simple Mail Protocol (SMTP) and check if there is a sending limit for the email accounts found on the affected computers. If the limit is satisfactory, the malware can be used to launch phishing and spam campaigns.
Additionally, hackers can use access to Microsoft and AWS resources to create fake pages on compromised websites, further gaining backdoor access to databases containing sensitive information.
To stay safe, the FBI and CISA say, organizations should make sure their operating systems, software and firmware are all updated. Ensuring that their Apache servers are not running version 2.4.49 or 2.4.50 was identified as critical. Additionally, they should ensure that the default configuration for all URIs is to deny all requests unless there is a specific need to make them accessible. Additionally, Laravel applications should not be in debug or test mode, and cloud references should not be present in .env files.
The full list of recommendations can be found here BleepingComputer link.
CVE-2018-15133, described as Laravel deserialization of untrusted data vulnerability, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as actively exploited.