Security News > 2024 > January > FBI: Beware of thieves building Androxgh0st botnets using stolen creds

FBI: Beware of thieves building Androxgh0st botnets using stolen creds
2024-01-17 01:29

Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency.

Miscreants deploying Androxgh0st like to use three old CVEs in these credential-stealing attacks: CVE-2017-9841, a command injection vulnerability in PHPUnit; CVE-2018-15133, an insecure deserialization bug in the Laravel web application framework that leads to remote code execution; and CVE-2021-41773, a path traversal vulnerability in Apache HTTP Server that also leads to remote code execution.

Env files exposed, and then issues either a GET request to the /.env URI or a POST request to the same URI and attempts to steal credentials and tokens.

"A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email and AWS accounts," according to the FBI and CISA. The third method, which exploits a vulnerability in web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 to launch a path traversal attack, criminals scan for URLs that are not protected by the "Request all denied" configuration and do not have Common Gateway Interface scripts enabled.

The government security alert includes a list of Androxgh0st indicators of compromise - which is worth a read. Additionally, the FBI and CISA suggest several mitigations to reduce your risk.

On a one-time basis for previously stored cloud credentials, as well as regularly for other types of credentials that cannot be removed, review any platforms or services that list credentials in.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/17/fbi_botnet_warning/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-05 CVE-2021-41773 Path Traversal vulnerability in multiple products
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
network
low complexity
apache fedoraproject oracle netapp CWE-22
7.5
2018-08-09 CVE-2018-15133 Deserialization of Untrusted Data vulnerability in Laravel
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value.
network
high complexity
laravel CWE-502
8.1
2017-06-27 CVE-2017-9841 Code Injection vulnerability in multiple products
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
network
low complexity
phpunit-project oracle CWE-94
7.5