Security News > 2024 > January > FBI: Beware of thieves building Androxgh0st botnets using stolen creds

Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency.

Miscreants deploying Androxgh0st like to use three old CVEs in these credential-stealing attacks: CVE-2017-9841, a command injection vulnerability in PHPUnit; CVE-2018-15133, an insecure deserialization bug in the Laravel web application framework that leads to remote code execution; and CVE-2021-41773, a path traversal vulnerability in Apache HTTP Server that also leads to remote code execution.

Env files exposed, and then issues either a GET request to the /.env URI or a POST request to the same URI and attempts to steal credentials and tokens.

"A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email and AWS accounts," according to the FBI and CISA. The third method, which exploits a vulnerability in web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 to launch a path traversal attack, criminals scan for URLs that are not protected by the "Request all denied" configuration and do not have Common Gateway Interface scripts enabled.

The government security alert includes a list of Androxgh0st indicators of compromise - which is worth a read. Additionally, the FBI and CISA suggest several mitigations to reduce your risk.

On a one-time basis for previously stored cloud credentials, as well as regularly for other types of credentials that cannot be removed, review any platforms or services that list credentials in.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/17/fbi_botnet_warning/